SmartHawk

12.6

0-day

60 个模型检测该样本为恶意！

重新分析

下载样本

51c53576e439424a479865f5b9c19288f4ba48743b513cd3ead582d0cc647187

47f64a1f24d434108e3a2e49acb8759f.exe

分析耗时

50s

最近分析

文件大小

2.0MB

静态报毒动态报毒 2FNPD5 @Z0AAKP6X7II ABSY AGENTWDCR AI SCORE=85 AIDETECTVM ARTEMIS ATTRIBUTE BITWALL CRYPTBOT DEAQATTUKQG DOWNLOADER34 GDLSL HIGH CONFIDENCE HIGHCONFIDENCE HUPJPJ KCLOUD KTSE KVMH008 MALICIOUS PE MALWARE1 MALWARE@#D3WRP1QH0FUE MALWAREX PGDI QVM19 RNKBEND S + MAL SCORE SOMB SPYEYES STATIC AI SUSGEN SUSPICIOUSPACKED THEMIDA TSCOPE UNSAFE ZEXAF ZMISS 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!47F64A1F24D4	20210108	6.0.6.653
Alibaba	TrojanSpy:Win32/BitWall.fcabeecd	20190527	0.3.0.5
CrowdStrike		20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20210108	21.1.5827.0
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)	20210108	2017.9.26.565
Tencent	Win32.Trojan-spy.Bitwall.Pgdi	20210108	1.0.0.1

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726239.964343 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (13 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726216.011343 IsDebuggerPresent		failed	0	0
1620726218.011343 IsDebuggerPresent		failed	0	0
1620726220.027343 IsDebuggerPresent		failed	0	0
1620726222.042343 IsDebuggerPresent		failed	0	0
1620726224.058343 IsDebuggerPresent		failed	0	0
1620726226.074343 IsDebuggerPresent		failed	0	0
1620726228.089343 IsDebuggerPresent		failed	0	0
1620726230.105343 IsDebuggerPresent		failed	0	0
1620726232.120343 IsDebuggerPresent		failed	0	0
1620726234.136343 IsDebuggerPresent		failed	0	0
1620726236.152343 IsDebuggerPresent		failed	0	0
1620726238.167343 IsDebuggerPresent		failed	0	0
1620726240.183343 IsDebuggerPresent		failed	0	0

Command line console output was observed (9 个事件)

Time & API	Arguments	Status	Return
1620727621.371625 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe console_handle: 0x00000007	success	1
1620727621.402625 WriteConsoleW	buffer: 另一个程序正在使用此文件，进程无法访问。 console_handle: 0x0000000b	success	1
1620727618.715375 WriteConsoleW	buffer: 等待 2 console_handle: 0x00000007	success	1
1620727618.715375 WriteConsoleW	buffer: 秒，按一个键继续 ... console_handle: 0x00000007	success	1
1620727618.902125 WriteConsoleW	buffer: 系统找不到指定的文件。 console_handle: 0x0000000b	success	1
1620727621.902125 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe console_handle: 0x00000007	success	1
1620727621.902125 WriteConsoleW	buffer: 拒绝访问。 console_handle: 0x0000000b	success	1
1620727619.37125 WriteConsoleW	buffer: 等待 2 console_handle: 0x00000007	success	1
1620727619.37125 WriteConsoleW	buffer: 秒，按一个键继续 ... console_handle: 0x00000007	success	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	hsrgfawb
section	cbkibcfr

One or more processes crashed (50 out of 125 个事件)

Time & API	Arguments	Status
1620726215.527343 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3864920 registers.edi: 0 registers.eax: 1 registers.ebp: 3864936 registers.edx: 21286912 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x31d0b9 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 3264697 exception.address: 0x12ad0b9	success
1620726215.527343 __exception__	stacktrace: registers.esp: 3864884 registers.edi: 1983119592 registers.eax: 32397 registers.ebp: 3998531604 registers.edx: 16318464 registers.ebx: 62836 registers.esi: 3 registers.ecx: 16834069 exception.instruction_r: fb 52 e9 02 ff ff ff 21 cd 8b 0c 24 e9 60 03 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x7e0d2 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 516306 exception.address: 0x100e0d2	success
1620726215.542343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 1983119592 registers.eax: 32397 registers.ebp: 3998531604 registers.edx: 16318464 registers.ebx: 62836 registers.esi: 3 registers.ecx: 16866466 exception.instruction_r: fb 52 89 34 24 c7 04 24 84 01 8d 7e 89 3c 24 c7 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x7e5b8 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 517560 exception.address: 0x100e5b8	success
1620726215.542343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 4294937776 registers.eax: 32397 registers.ebp: 3998531604 registers.edx: 16318464 registers.ebx: 921834856 registers.esi: 3 registers.ecx: 16866466 exception.instruction_r: fb 56 c7 04 24 eb 5b 49 53 89 0c 24 b9 08 55 aa exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x7e8ef exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 518383 exception.address: 0x100e8ef	success
1620726215.542343 __exception__	stacktrace: registers.esp: 3864884 registers.edi: 4294937776 registers.eax: 32457 registers.ebp: 3998531604 registers.edx: 16837284 registers.ebx: 597830450 registers.esi: 3 registers.ecx: 16866466 exception.instruction_r: fb 50 b8 56 76 fe 7b c1 e0 07 f7 d0 40 05 d9 fd exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x7f0d3 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 520403 exception.address: 0x100f0d3	success
1620726215.542343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 4294937776 registers.eax: 32457 registers.ebp: 3998531604 registers.edx: 16869741 registers.ebx: 597830450 registers.esi: 3 registers.ecx: 16866466 exception.instruction_r: fb e9 50 ff ff ff 0d 83 48 77 7f 68 c7 0f af 61 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x7ecdc exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 519388 exception.address: 0x100ecdc	success
1620726215.558343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 4294937720 registers.eax: 32457 registers.ebp: 3998531604 registers.edx: 16869741 registers.ebx: 238825 registers.esi: 3 registers.ecx: 16866466 exception.instruction_r: fb 81 ec 04 00 00 00 e9 6c 01 00 00 68 2d c9 d2 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x7f215 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 520725 exception.address: 0x100f215	success
1620726215.558343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 0 registers.eax: 640745 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 34341388 registers.esi: 18411158 registers.ecx: 524 exception.instruction_r: fb 68 14 a7 b6 5f 89 3c 24 e9 4f fe ff ff 50 54 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x1fe482 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2090114 exception.address: 0x118e482	success
1620726215.558343 __exception__	stacktrace: registers.esp: 3864884 registers.edi: 0 registers.eax: 32359 registers.ebp: 3998531604 registers.edx: 104986586 registers.ebx: 1443354359 registers.esi: 18411158 registers.ecx: 18414889 exception.instruction_r: fb 50 e9 86 00 00 00 5c 89 14 24 c7 04 24 b4 32 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x200187 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2097543 exception.address: 0x1190187	success
1620726215.558343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 0 registers.eax: 32359 registers.ebp: 3998531604 registers.edx: 1549541099 registers.ebx: 4294937780 registers.esi: 18411158 registers.ecx: 18447248 exception.instruction_r: fb e9 00 00 00 00 83 ec 04 89 14 24 e9 00 00 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x2007ee exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2099182 exception.address: 0x11907ee	success
1620726215.558343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 1781258 registers.eax: 30321 registers.ebp: 3998531604 registers.edx: 224622767 registers.ebx: 18477550 registers.esi: 0 registers.ecx: 1983369708 exception.instruction_r: fb e9 59 00 00 00 5e 81 ee 4b 90 ff 1d e9 53 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x208650 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2131536 exception.address: 0x1198650	success
1620726215.574343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 0 registers.eax: 30321 registers.ebp: 3998531604 registers.edx: 224622767 registers.ebx: 18450394 registers.esi: 1114345 registers.ecx: 1983369708 exception.instruction_r: fb 56 be 99 b0 fd 7c 89 f0 5e 83 ec 04 89 14 24 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x2082f3 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2130675 exception.address: 0x11982f3	success
1620726215.574343 __exception__	stacktrace: registers.esp: 3864880 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 3998531604 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 18454558 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 5a 0c 00 00 81 c6 17 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x20a324 exception.instruction: in eax, dx exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2138916 exception.address: 0x119a324	success
1620726215.574343 __exception__	stacktrace: registers.esp: 3864880 registers.edi: 0 registers.eax: 1 registers.ebp: 3998531604 registers.edx: 22104 registers.ebx: 0 registers.esi: 18454558 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x20a447 exception.address: 0x119a447 exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc000001d exception.offset: 2139207	success
1620726215.574343 __exception__	stacktrace: registers.esp: 3864880 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 3998531604 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18454558 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 56 37 ac 12 01 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x209cd8 exception.instruction: in eax, dx exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2137304 exception.address: 0x1199cd8	success
1620726215.777343 __exception__	stacktrace: registers.esp: 3864884 registers.edi: 0 registers.eax: 18488591 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 38486827 registers.esi: 10 registers.ecx: 3252289536 exception.instruction_r: fb 2d ff dc f9 7d e9 d8 02 00 00 81 e1 42 25 b3 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x21207c exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2171004 exception.address: 0x11a207c	success
1620726215.777343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 4294941564 registers.eax: 18516963 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 38486827 registers.esi: 10 registers.ecx: 6379 exception.instruction_r: fb 68 28 43 55 5e 89 0c 24 c7 04 24 82 23 44 08 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x212119 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2171161 exception.address: 0x11a2119	success
1620726215.777343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 0 registers.eax: 3864848 registers.ebp: 3998531604 registers.edx: 18492459 registers.ebx: 18492751 registers.esi: 1139353852 registers.ecx: 18492377 exception.instruction_r: cd 01 eb 00 66 8b cb 64 8f 05 00 00 00 00 6a 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x212c5d exception.instruction: int 1 exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000005 exception.offset: 2174045 exception.address: 0x11a2c5d	success
1620726215.777343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 4294941564 registers.eax: 29396 registers.ebp: 3998531604 registers.edx: 654654 registers.ebx: 1730755487 registers.esi: 3679 registers.ecx: 18548545 exception.instruction_r: fb e9 96 fd ff ff 87 1c 24 e9 7c f8 ff ff 2d 1a exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x219e39 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2203193 exception.address: 0x11a9e39	success
1620726215.777343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 4294941564 registers.eax: 4294940600 registers.ebp: 3998531604 registers.edx: 654654 registers.ebx: 1730755487 registers.esi: 606898512 registers.ecx: 18548545 exception.instruction_r: fb 50 54 e9 4d 00 00 00 81 f7 9e 36 2f b6 e9 bd exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x21992b exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2201899 exception.address: 0x11a992b	success
1620726215.949343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 16826498 registers.eax: 31853 registers.ebp: 3998531604 registers.edx: 6 registers.ebx: 18586266 registers.esi: 1983190032 registers.ecx: 0 exception.instruction_r: fb 31 c0 ff 34 18 e9 fc f5 ff ff 56 50 68 5a b9 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x222959 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2238809 exception.address: 0x11b2959	success
1620726215.949343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 16826498 registers.eax: 4294938484 registers.ebp: 3998531604 registers.edx: 6 registers.ebx: 18586266 registers.esi: 1983190032 registers.ecx: 1407682903 exception.instruction_r: fb 83 ec 04 89 2c 24 57 e9 76 03 00 00 81 ef 27 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x2221c4 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2236868 exception.address: 0x11b21c4	success
1620726215.949343 __exception__	stacktrace: registers.esp: 3864884 registers.edi: 16826498 registers.eax: 25966 registers.ebp: 3998531604 registers.edx: 6 registers.ebx: 18563357 registers.esi: 1983190032 registers.ecx: 344960095 exception.instruction_r: fb 50 55 68 c1 17 08 3a e9 8e 00 00 00 8b 0c 24 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x224821 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2246689 exception.address: 0x11b4821	success
1620726215.949343 __exception__	stacktrace: registers.esp: 3864888 registers.edi: 16826498 registers.eax: 588777 registers.ebp: 3998531604 registers.edx: 0 registers.ebx: 18566355 registers.esi: 1983190032 registers.ecx: 344960095 exception.instruction_r: fb 55 68 62 d9 6e 2e 89 24 24 e9 11 03 00 00 89 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x2241ac exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2245036 exception.address: 0x11b41ac	success
1620726215.949343 __exception__	stacktrace: registers.esp: 3864880 registers.edi: 16826498 registers.eax: 29260 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 594295711 registers.esi: 1983190032 registers.ecx: 18626200 exception.instruction_r: fb 56 89 e6 81 c6 04 00 00 00 81 ee 04 00 00 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x22c7c0 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2279360 exception.address: 0x11bc7c0	success
1620726215.949343 __exception__	stacktrace: registers.esp: 3864880 registers.edi: 14827 registers.eax: 29260 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 594295711 registers.esi: 0 registers.ecx: 18600188 exception.instruction_r: fb e9 12 ff ff ff c7 04 24 a2 74 b6 49 e9 a3 fe exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x22cbfe exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2280446 exception.address: 0x11bcbfe	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864844 registers.edi: 2773354914 registers.eax: 32520 registers.ebp: 3998531604 registers.edx: 18709982 registers.ebx: 18705810 registers.esi: 18705864 registers.ecx: 3252289536 exception.instruction_r: fb 50 57 68 00 2e ec 15 e9 00 00 00 00 5f f7 d7 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x247e21 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2391585 exception.address: 0x11d7e21	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 2773354914 registers.eax: 32520 registers.ebp: 3998531604 registers.edx: 18742502 registers.ebx: 18705810 registers.esi: 18705864 registers.ecx: 3252289536 exception.instruction_r: fb 50 e9 71 f8 ff ff 68 04 c0 6f 7d 5d e9 a2 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x24856e exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2393454 exception.address: 0x11d856e	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 2773354914 registers.eax: 4294937912 registers.ebp: 3998531604 registers.edx: 18742502 registers.ebx: 18705810 registers.esi: 18705864 registers.ecx: 116969 exception.instruction_r: fb 52 68 60 33 b0 7e 5a f7 d2 51 b9 95 ee be 33 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x248907 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2394375 exception.address: 0x11d8907	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864844 registers.edi: 18722548 registers.eax: 26899 registers.ebp: 3998531604 registers.edx: 18742502 registers.ebx: 2774510058 registers.esi: 2775652146 registers.ecx: 37461422 exception.instruction_r: fb e9 08 00 00 00 89 1c 24 e9 84 fe ff ff 53 e9 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x24b447 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2405447 exception.address: 0x11db447	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 18725619 registers.eax: 26899 registers.ebp: 3998531604 registers.edx: 15657296 registers.ebx: 0 registers.esi: 2775652146 registers.ecx: 37461422 exception.instruction_r: fb 68 7c b8 d6 06 89 34 24 53 68 7a 16 9f 77 e9 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x24ba66 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2407014 exception.address: 0x11dba66	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 4014570215 registers.eax: 27788 registers.ebp: 3998531604 registers.edx: 18759222 registers.ebx: 1074569472 registers.esi: 2794377765 registers.ecx: 1964942080 exception.instruction_r: fb 68 69 e3 c3 43 89 04 24 56 e9 ca 03 00 00 bb exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x24d751 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2414417 exception.address: 0x11dd751	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 4014570215 registers.eax: 27788 registers.ebp: 3998531604 registers.edx: 18759222 registers.ebx: 4294942536 registers.esi: 3702714040 registers.ecx: 1964942080 exception.instruction_r: fb e9 78 00 00 00 87 14 24 5c ff 34 1a ff 34 24 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x24d592 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2413970 exception.address: 0x11dd592	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864844 registers.edi: 18734933 registers.eax: 25691 registers.ebp: 3998531604 registers.edx: 1009677564 registers.ebx: 4294942536 registers.esi: 3702714040 registers.ecx: 1979050768 exception.instruction_r: fb 81 ef c9 27 71 6d 03 3c 24 e9 82 06 00 00 05 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x24dfee exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2416622 exception.address: 0x11ddfee	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 18760624 registers.eax: 25691 registers.ebp: 3998531604 registers.edx: 1009677564 registers.ebx: 4294942536 registers.esi: 3702714040 registers.ecx: 1979050768 exception.instruction_r: fb 68 86 28 93 57 89 3c 24 89 04 24 89 0c 24 89 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x24e312 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2417426 exception.address: 0x11de312	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 18737964 registers.eax: 0 registers.ebp: 3998531604 registers.edx: 1009677564 registers.ebx: 4294942536 registers.esi: 3702714040 registers.ecx: 1358981728 exception.instruction_r: fb 53 57 bf 9b 24 fe 7b 89 fb 5f 81 ec 04 00 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x24e7ff exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2418687 exception.address: 0x11de7ff	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864844 registers.edi: 18753694 registers.eax: 31198 registers.ebp: 3998531604 registers.edx: 2147427804 registers.ebx: 16840422 registers.esi: 18733162 registers.ecx: 2002452622 exception.instruction_r: fb 81 ef b3 3c 7f 5f 81 c7 1d 0d 3f 2f 81 ef f6 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x252a8c exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2435724 exception.address: 0x11e2a8c	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 18756752 registers.eax: 31198 registers.ebp: 3998531604 registers.edx: 0 registers.ebx: 16840422 registers.esi: 18733162 registers.ecx: 2746705 exception.instruction_r: fb 57 89 1c 24 54 8b 1c 24 52 89 e2 81 c2 04 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x253304 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2437892 exception.address: 0x11e3304	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864844 registers.edi: 18756752 registers.eax: 33076 registers.ebp: 3998531604 registers.edx: 0 registers.ebx: 2104116442 registers.esi: 18757161 registers.ecx: 1491488584 exception.instruction_r: fb e9 54 02 00 00 bb 63 46 ff 2b e9 98 00 00 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x2537b0 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2439088 exception.address: 0x11e37b0	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 18756752 registers.eax: 33076 registers.ebp: 3998531604 registers.edx: 0 registers.ebx: 2104116442 registers.esi: 18790237 registers.ecx: 1491488584 exception.instruction_r: fb e9 61 fb ff ff 5d 81 c5 04 00 00 00 51 51 c7 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x253bc8 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2440136 exception.address: 0x11e3bc8	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 4294937548 registers.eax: 33076 registers.ebp: 3998531604 registers.edx: 24811 registers.ebx: 2104116442 registers.esi: 18790237 registers.ecx: 1491488584 exception.instruction_r: fb 55 89 3c 24 c7 04 24 71 13 8f 77 81 0c 24 61 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x25389b exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2439323 exception.address: 0x11e389b	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864844 registers.edi: 0 registers.eax: 29270 registers.ebp: 3998531604 registers.edx: 24811 registers.ebx: 297758682 registers.esi: 18776778 registers.ecx: 0 exception.instruction_r: fb 57 89 2c 24 68 3f 68 ba 26 89 04 24 c7 04 24 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x258444 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2458692 exception.address: 0x11e8444	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 0 registers.eax: 322689 registers.ebp: 3998531604 registers.edx: 24811 registers.ebx: 297758682 registers.esi: 18779300 registers.ecx: 0 exception.instruction_r: fb 53 89 04 24 51 b9 a7 ed ee 7c 89 c8 59 40 35 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x258a9f exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2460319 exception.address: 0x11e8a9f	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 0 registers.eax: 31031 registers.ebp: 3998531604 registers.edx: 18810850 registers.ebx: 1735426921 registers.esi: 18779300 registers.ecx: 1694030130 exception.instruction_r: fb 51 68 62 67 ed 7c 89 0c 24 89 e1 81 c1 04 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x25980f exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2463759 exception.address: 0x11e980f	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 0 registers.eax: 31031 registers.ebp: 3998531604 registers.edx: 18810850 registers.ebx: 4294939200 registers.esi: 18779300 registers.ecx: 604292945 exception.instruction_r: fb e9 5a 05 00 00 81 ee 40 20 9e 4b c1 e6 06 81 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x25947d exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2462845 exception.address: 0x11e947d	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864844 registers.edi: 0 registers.eax: 28384 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18784472 registers.ecx: 18827102 exception.instruction_r: fb e9 64 00 00 00 81 c3 a4 f0 bf 2d 59 e9 98 01 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x264d37 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2510135 exception.address: 0x11f4d37	success
1620726215.980343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 0 registers.eax: 28384 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 4294941548 registers.esi: 2298801283 registers.ecx: 18855486 exception.instruction_r: fb 56 89 14 24 89 0c 24 e9 48 fd ff ff 01 d9 5b exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x264ef6 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2510582 exception.address: 0x11f4ef6	success
1620726216.011343 __exception__	stacktrace: registers.esp: 3864844 registers.edi: 18871221 registers.eax: 29852 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 18891906 registers.esi: 18848496 registers.ecx: 0 exception.instruction_r: fb 50 b8 2e 12 fb 6a 81 c3 0f 0b d5 59 e9 37 ff exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x274a98 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2575000 exception.address: 0x1204a98	success
1620726216.011343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 4294939884 registers.eax: 29852 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 18921758 registers.esi: 12773712 registers.ecx: 0 exception.instruction_r: fb 55 c7 04 24 2e 0b 00 61 89 2c 24 81 ec 04 00 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x274894 exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2574484 exception.address: 0x1204894	success
1620726216.011343 __exception__	stacktrace: registers.esp: 3864848 registers.edi: 18904490 registers.eax: 31286 registers.ebp: 3998531604 registers.edx: 2130566132 registers.ebx: 18921758 registers.esi: 12773712 registers.ecx: 18946917 exception.instruction_r: fb 68 cf af d2 6d 89 0c 24 57 e9 ec f9 ff ff 52 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x27a8aa exception.instruction: sti exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2599082 exception.address: 0x120a8aa	success

Performs some HTTP requests (1 个事件)

request

GET http://ip-api.com/line

Allocates read-write-execute memory (usually to unpack itself) (25 个事件)

Time & API	Arguments	Status
1620726216.011343 NtProtectVirtualMemory	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620726216.011343 NtProtectVirtualMemory	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620726216.199343 NtProtectVirtualMemory	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 98304 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00f91000	success
1620726216.230343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a60000	success
1620726216.230343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bb0000	success
1620726216.230343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c00000	success
1620726216.230343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c10000	success
1620726216.230343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success
1620726216.230343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c70000	success
1620726216.230343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620726216.230343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00cd0000	success
1620726216.245343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ce0000	success
1620726216.245343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00cf0000	success
1620726216.245343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e00000	success
1620726216.245343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f10000	success
1620726216.245343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f20000	success
1620726216.245343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f30000	success
1620726216.245343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f80000	success
1620726216.245343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02890000	success
1620726216.261343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028a0000	success
1620726216.261343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success
1620726216.261343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success
1620726216.261343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success
1620726216.261343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success
1620726216.261343 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success

A process attempted to delay the analysis task. (1 个事件)

description

47f64a1f24d434108e3a2e49acb8759f.exe tried to sleep 216 seconds, actually delayed analysis time by 216 seconds

Looks up the external IP address (1 个事件)

domain

ip-api.com

Creates a suspicious process (2 个事件)

cmdline	C:\Windows\System32\cmd.exe /c rd /s /q C:\ProgramData\lrjsgnkcxkuu & timeout 2 & del /f /q "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\lrjsgnkcxkuu & timeout 2 & del /f /q "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe"

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe

A process created a hidden window (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726241.574343 ShellExecuteExW	parameters: /c rd /s /q C:\ProgramData\lrjsgnkcxkuu & timeout 2 & del /f /q "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe" filepath: C:\Windows\System32\cmd.exe filepath_r: C:\Windows\system32\cmd.exe show_type: 0	success	1	0
1620726242.042343 ShellExecuteExW	parameters: /c rd /s /q C:\ProgramData\lrjsgnkcxkuu & timeout 2 & del /f /q "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe" filepath: C:\Windows\System32\cmd.exe filepath_r: C:\Windows\system32\cmd.exe show_type: 0	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726236.792343 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.98297461126842

section

{'size_of_data': '0x00017e00', 'virtual_address': '0x00001000', 'entropy': 7.98297461126842, 'name': ' \\x00 ', 'virtual_size': '0x00033000'}

description

A section with a high entropy has been found

entropy

7.951655870928773

section

{'size_of_data': '0x0019fa00', 'virtual_address': '0x0031d000', 'entropy': 7.951655870928773, 'name': 'hsrgfawb', 'virtual_size': '0x001a0000'}

description

A section with a high entropy has been found

entropy

0.8613424791768741

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

system

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	C:\Windows\System32\cmd.exe /c rd /s /q C:\ProgramData\lrjsgnkcxkuu & timeout 2 & del /f /q "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\lrjsgnkcxkuu & timeout 2 & del /f /q "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to identify installed AV products by installation directory (2 个事件)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avg

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 83 个事件)

Time & API	Arguments	Status
1620726216.011343 FindWindowA	class_name: OLLYDBG window_name:	failed
1620726216.011343 FindWindowA	class_name: GBDYLLO window_name:	failed
1620726216.011343 FindWindowA	class_name: pediy06 window_name:	failed
1620726216.011343 FindWindowA	class_name: FilemonClass window_name:	failed
1620726216.011343 FindWindowA	class_name: FilemonClass window_name:	failed
1620726216.011343 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620726216.011343 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620726216.011343 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620726216.011343 FindWindowA	class_name: RegmonClass window_name:	failed
1620726216.011343 FindWindowA	class_name: RegmonClass window_name:	failed
1620726216.011343 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1620726216.011343 FindWindowA	class_name: 18467-41 window_name:	failed
1620726216.183343 FindWindowA	class_name: FilemonClass window_name:	failed
1620726216.183343 FindWindowA	class_name: FilemonClass window_name:	failed
1620726216.183343 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620726216.183343 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620726216.183343 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620726218.011343 FindWindowA	class_name: OLLYDBG window_name:	failed
1620726218.011343 FindWindowA	class_name: GBDYLLO window_name:	failed
1620726218.011343 FindWindowA	class_name: pediy06 window_name:	failed
1620726220.027343 FindWindowA	class_name: OLLYDBG window_name:	failed
1620726220.027343 FindWindowA	class_name: GBDYLLO window_name:	failed
1620726220.027343 FindWindowA	class_name: pediy06 window_name:	failed
1620726220.214343 FindWindowA	class_name: Regmonclass window_name:	failed
1620726220.214343 FindWindowA	class_name: Regmonclass window_name:	failed
1620726220.527343 FindWindowA	class_name: 18467-41 window_name:	failed
1620726220.839343 FindWindowA	class_name: Filemonclass window_name:	failed
1620726220.839343 FindWindowA	class_name: Filemonclass window_name:	failed
1620726220.839343 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620726222.042343 FindWindowA	class_name: OLLYDBG window_name:	failed
1620726222.042343 FindWindowA	class_name: GBDYLLO window_name:	failed
1620726222.042343 FindWindowA	class_name: pediy06 window_name:	failed
1620726224.058343 FindWindowA	class_name: OLLYDBG window_name:	failed
1620726224.058343 FindWindowA	class_name: GBDYLLO window_name:	failed
1620726224.058343 FindWindowA	class_name: pediy06 window_name:	failed
1620726224.839343 FindWindowA	class_name: Regmonclass window_name:	failed
1620726224.839343 FindWindowA	class_name: Regmonclass window_name:	failed
1620726225.152343 FindWindowA	class_name: 18467-41 window_name:	failed
1620726225.464343 FindWindowA	class_name: Filemonclass window_name:	failed
1620726225.464343 FindWindowA	class_name: Filemonclass window_name:	failed
1620726225.464343 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620726226.074343 FindWindowA	class_name: OLLYDBG window_name:	failed
1620726226.074343 FindWindowA	class_name: GBDYLLO window_name:	failed
1620726226.074343 FindWindowA	class_name: pediy06 window_name:	failed
1620726228.089343 FindWindowA	class_name: OLLYDBG window_name:	failed
1620726228.089343 FindWindowA	class_name: GBDYLLO window_name:	failed
1620726228.089343 FindWindowA	class_name: pediy06 window_name:	failed
1620726229.464343 FindWindowA	class_name: Regmonclass window_name:	failed
1620726229.464343 FindWindowA	class_name: Regmonclass window_name:	failed
1620726229.777343 FindWindowA	class_name: 18467-41 window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\47f64a1f24d434108e3a2e49acb8759f.exe

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620726239.355343 RegSetValueExA	key_handle: 0x00000478 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620726239.370343 RegSetValueExA	key_handle: 0x00000478 value: @¿^7F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620726239.370343 RegSetValueExA	key_handle: 0x00000478 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620726239.370343 RegSetValueExW	key_handle: 0x00000478 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620726239.370343 RegSetValueExA	key_handle: 0x0000048c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620726239.370343 RegSetValueExA	key_handle: 0x0000048c value: @¿^7F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620726239.370343 RegSetValueExA	key_handle: 0x0000048c value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620726239.386343 RegSetValueExW	key_handle: 0x00000474 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620726239.917343 RegSetValueExA	key_handle: 0x0000049c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620726239.917343 RegSetValueExA	key_handle: 0x0000049c value: `´7F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620726239.917343 RegSetValueExA	key_handle: 0x0000049c value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620726239.917343 RegSetValueExW	key_handle: 0x0000049c value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620726239.917343 RegSetValueExA	key_handle: 0x000004a0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620726239.917343 RegSetValueExA	key_handle: 0x000004a0 value: `´7F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620726239.917343 RegSetValueExA	key_handle: 0x000004a0 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726215.574343 __exception__	stacktrace: registers.esp: 3864880 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 3998531604 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 18454558 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 5a 0c 00 00 81 c6 17 exception.symbol: 47f64a1f24d434108e3a2e49acb8759f+0x20a324 exception.instruction: in eax, dx exception.module: 47f64a1f24d434108e3a2e49acb8759f.exe exception.exception_code: 0xc0000096 exception.offset: 2138916 exception.address: 0x119a324	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.AgentWDCR.ABSY
FireEye	Generic.mg.47f64a1f24d43410
CAT-QuickHeal	TrojanSpy.BitWall
Qihoo-360	Generic/HEUR/QVM19.1.D438.Malware.Gen
McAfee	Artemis!47F64A1F24D4
Cylance	Unsafe
K7AntiVirus	Trojan ( 005643be1 )
Alibaba	TrojanSpy:Win32/BitWall.fcabeecd
K7GW	Trojan ( 005643be1 )
Arcabit	Trojan.AgentWDCR.ABSY
BitDefenderTheta	Gen:NN.ZexaF.34742.@z0aaKP6x7ii
Cyren	W32/Trojan.SOMB-5907
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	Trojan-Spy.Win32.BitWall.ato
BitDefender	Trojan.AgentWDCR.ABSY
NANO-Antivirus	Trojan.Win32.BitWall.hupjpj
Paloalto	generic.ml
AegisLab	Trojan.Win32.BitWall.l!c
Rising	Stealer.Cryptbot!8.1116F (KTSE)
Ad-Aware	Trojan.AgentWDCR.ABSY
Sophos	Mal/Generic-S + Mal/Generic-L
Comodo	Malware@#d3wrp1qh0fue
F-Secure	Trojan.TR/Spy.Agent.zmiss
DrWeb	Trojan.DownLoader34.38561
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.BITWALL.AFS
McAfee-GW-Edition	BehavesLike.Win32.SuspiciousPacked.tc
Emsisoft	Trojan.AgentWDCR.ABSY (B)
Ikarus	Trojan.Win32.Themida
Jiangmin	Trojan.Generic.gdlsl
Webroot	W32.Spyware.Gen
Avira	TR/Spy.Agent.zmiss
MAX	malware (ai score=85)
Antiy-AVL	Trojan[Spy]/Win32.BitWall
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Trojan.Win32.Packed.vb
Microsoft	Trojan:Win32/CryptBot.A!MTB
ZoneAlarm	Trojan-Spy.Win32.BitWall.ato
GData	Win32.Trojan.Agent.2FNPD5
Cynet	Malicious (score: 100)
AhnLab-V3	Spyware/Win32.SpyEyes.C2242773
VBA32	TScope.Malware-Cryptor.SB
ALYac	Spyware.SpyEyes
Malwarebytes	Spyware.CryptBot
Zoner	Trojan.Win32.97796
ESET-NOD32	Win32/Spy.Agent.PRG

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-16 14:58:26

Imports

Library kernel32.dll:

• 0x47b033 lstrcpy

Library comctl32.dll:

• 0x47b03b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
ip-api.com	A 208.95.112.1	208.95.112.1
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49176	208.95.112.1 ip-api.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://ip-api.com/line	GET /line HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ip-api.com Connection: Keep-Alive

URI

Data

http://ip-api.com/line

GET /line HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ip-api.com
Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.