SmartHawk

10.4

0-day

53 个模型检测该样本为恶意！

重新分析

下载样本

fbe27506c78a9c364bdadfbdbcfe6c60a436aa3c06c0d83494ef4edda50cd93e

4c63a73407440f6c1acd37e6dcbe7677.exe

分析耗时

85s

最近分析

文件大小

1.3MB

静态报毒动态报毒 100% AI SCORE=88 AIDETECTVM ARTEMIS CLIPBANKER CLIPBANKERNET CONFIDENCE CRYPTINJECT EXYA GCUUN GENERIC@ML GENERICKD HIGH CONFIDENCE HSISAU IWO9OK1R6E82 MALICIOUS PE MALWARE2 PEPV POSSIBLETHREAT QVM19 R002C0WHK20 RDML RZ0AAKOJHHF SCORE SUEP THEMIDA UNSAFE XZD32YFHA ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!4C63A7340744	20200908	6.0.6.653
Alibaba	Trojan:Win32/CryptInject.97a0c058	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20200908	18.4.3895.0
Tencent	Win32.Trojan.Generic.Pepv	20200908	1.0.0.1
Kingsoft		20200908	2013.8.14.323
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619464027.843 IsDebuggerPresent		failed	0	0
1619464028.343 IsDebuggerPresent		failed	0	0
1619464028.343 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619464028.484 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	pbmcjser
section	xmdmufqf

One or more processes crashed (50 out of 119 个事件)

Time & API	Arguments	Status
1619464026.593 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 7470952 registers.edi: 0 registers.eax: 1 registers.ebp: 7470968 registers.edx: 4128768 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x22c0b9 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 2277561 exception.address: 0x2ac0b9	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470912 registers.edi: 0 registers.eax: 528384 registers.ebp: 4073824276 registers.edx: 40960 registers.ebx: 1132899640 registers.esi: 0 registers.ecx: 40960 exception.instruction_r: 66 81 38 4d 5a 75 0e 0f b7 50 3c 01 c2 81 3a 50 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0xb9f8 exception.instruction: cmp word ptr [eax], 0x5a4d exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000005 exception.offset: 47608 exception.address: 0x8b9f8	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 1983119592 registers.eax: 32334 registers.ebp: 4073824276 registers.edx: 605080 registers.ebx: 222857882 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb 68 95 1c 00 00 ff 34 24 8b 0c 24 81 c4 04 00 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0xc6aa exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 50858 exception.address: 0x8c6aa	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 1983119592 registers.eax: 32334 registers.ebp: 4073824276 registers.edx: 575812 registers.ebx: 222857882 registers.esi: 224489 registers.ecx: 0 exception.instruction_r: fb 68 39 4b 00 00 89 2c 24 53 68 18 11 0e 39 5b exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0xc291 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 49809 exception.address: 0x8c291	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 1983119592 registers.eax: 606272 registers.ebp: 4073824276 registers.edx: 575812 registers.ebx: 4294940740 registers.esi: 1259 registers.ecx: 1009522721 exception.instruction_r: fb 68 20 37 00 00 e9 41 00 00 00 8b 0c 24 81 c4 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0xd702 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 55042 exception.address: 0x8d702	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 607088 registers.eax: 1904653 registers.ebp: 4073824276 registers.edx: 2130566132 registers.ebx: 38863441 registers.esi: 1867261 registers.ecx: 593 exception.instruction_r: fb 68 2a 10 00 00 89 3c 24 89 04 24 e9 5b 00 00 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x14aefc exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1355516 exception.address: 0x1caefc	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 657385 registers.eax: 1880417 registers.ebp: 4073824276 registers.edx: 2130566132 registers.ebx: 38863441 registers.esi: 0 registers.ecx: 593 exception.instruction_r: fb ba 13 02 3d 1c 51 b9 91 71 b7 09 81 e1 58 6a exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x14ac64 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1354852 exception.address: 0x1cac64	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470916 registers.edi: 43325 registers.eax: 1887702 registers.ebp: 4073824276 registers.edx: 5177720 registers.ebx: 1883455 registers.esi: 1983214664 registers.ecx: 43325 exception.instruction_r: fb 51 83 ec 04 89 2c 24 e9 85 05 00 00 81 c4 04 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x14ceac exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1363628 exception.address: 0x1cceac	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 43325 registers.eax: 1920144 registers.ebp: 4073824276 registers.edx: 12970322 registers.ebx: 4294937524 registers.esi: 1983214664 registers.ecx: 43325 exception.instruction_r: fb 68 0b 85 3b 09 e9 15 fc ff ff 81 c1 e2 7b 75 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x14d1c3 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1364419 exception.address: 0x1cd1c3	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 1893540 registers.eax: 134889 registers.ebp: 4073824276 registers.edx: 154895627 registers.ebx: 0 registers.esi: 1983214664 registers.ecx: 328990490 exception.instruction_r: fb 50 52 56 e9 ed 05 00 00 f7 d0 e9 2c 00 00 00 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x14dacc exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1366732 exception.address: 0x1cdacc	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470912 registers.edi: 5189130 registers.eax: 1447909480 registers.ebp: 4073824276 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 1917346 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 56 54 e9 f2 29 00 00 8b exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x155be3 exception.instruction: in eax, dx exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1399779 exception.address: 0x1d5be3	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470912 registers.edi: 5189130 registers.eax: 1 registers.ebp: 4073824276 registers.edx: 22104 registers.ebx: 0 registers.esi: 1917346 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x15865b exception.address: 0x1d865b exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc000001d exception.offset: 1410651	success
1619464026.593 __exception__	stacktrace: registers.esp: 7470912 registers.edi: 5189130 registers.eax: 1447909480 registers.ebp: 4073824276 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 1917346 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 b5 2b 37 0d 01 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x155c24 exception.instruction: in eax, dx exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1399844 exception.address: 0x1d5c24	success
1619464026.828 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 0 registers.eax: 7470880 registers.ebp: 4073824276 registers.edx: 1939490 registers.ebx: 1942849 registers.esi: 19321827 registers.ecx: 683987279 exception.instruction_r: cd 01 eb 00 6a 00 56 e8 03 00 00 00 20 5e c3 5e exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x15a3e8 exception.instruction: int 1 exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000005 exception.offset: 1418216 exception.address: 0x1da3e8	success
1619464026.828 __exception__	stacktrace: registers.esp: 7470916 registers.edi: 5189130 registers.eax: 29165 registers.ebp: 4073824276 registers.edx: 2130566132 registers.ebx: 19306530 registers.esi: 1943009 registers.ecx: 1943590 exception.instruction_r: fb e9 f0 03 00 00 81 c2 3c 48 ee 2c 81 ea d9 77 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x15aa74 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1419892 exception.address: 0x1daa74	success
1619464026.828 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 5189130 registers.eax: 29165 registers.ebp: 4073824276 registers.edx: 2130566132 registers.ebx: 19306530 registers.esi: 1943009 registers.ecx: 1972755 exception.instruction_r: fb 68 34 25 00 00 89 0c 24 e9 a8 fe ff ff 89 f7 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x15ad63 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1420643 exception.address: 0x1dad63	success
1619464026.828 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 5189130 registers.eax: 29165 registers.ebp: 4073824276 registers.edx: 6379 registers.ebx: 4294940948 registers.esi: 1943009 registers.ecx: 1972755 exception.instruction_r: fb e9 00 00 00 00 57 52 e9 a1 fe ff ff 5e 52 89 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x15b2ab exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1421995 exception.address: 0x1db2ab	success
1619464026.828 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 4294944424 registers.eax: 25581 registers.ebp: 4073824276 registers.edx: 1987054 registers.ebx: 1451714063 registers.esi: 1943009 registers.ecx: 65769 exception.instruction_r: fb 57 e9 f8 fb ff ff 89 f1 5e bd 22 c1 e6 39 31 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x15f2c7 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1438407 exception.address: 0x1df2c7	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470916 registers.edi: 4074313338 registers.eax: 27379 registers.ebp: 4073824276 registers.edx: 6 registers.ebx: 682283 registers.esi: 2000227 registers.ecx: 6 exception.instruction_r: fb 55 bd 29 20 3b 0e 81 cd 57 08 15 5e 83 ed ff exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x16858b exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1475979 exception.address: 0x1e858b	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 0 registers.eax: 27379 registers.ebp: 4073824276 registers.edx: 6 registers.ebx: 682283 registers.esi: 2002850 registers.ecx: 7470696 exception.instruction_r: fb 57 89 2c 24 56 be 33 6a e3 68 81 f6 e7 62 d6 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1689b1 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1477041 exception.address: 0x1e89b1	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470916 registers.edi: 0 registers.eax: 26372 registers.ebp: 4073824276 registers.edx: 6 registers.ebx: 682283 registers.esi: 2002850 registers.ecx: 2003085 exception.instruction_r: fb 57 81 ec 04 00 00 00 89 04 24 b8 89 51 15 7c exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x169777 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1480567 exception.address: 0x1e9777	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 0 registers.eax: 26372 registers.ebp: 4073824276 registers.edx: 6 registers.ebx: 682283 registers.esi: 2002850 registers.ecx: 2029457 exception.instruction_r: fb 68 00 00 00 00 e9 7c 00 00 00 87 0c 24 8b 24 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x16924f exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1479247 exception.address: 0x1e924f	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470920 registers.edi: 0 registers.eax: 26372 registers.ebp: 4073824276 registers.edx: 4294944524 registers.ebx: 58089 registers.esi: 2002850 registers.ecx: 2029457 exception.instruction_r: fb 81 ec 04 00 00 00 e9 ca fe ff ff be 28 76 4d exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x169304 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1479428 exception.address: 0x1e9304	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470908 registers.edi: 2028115 registers.eax: 26980 registers.ebp: 4073824276 registers.edx: 2130566132 registers.ebx: 680841145 registers.esi: 2002850 registers.ecx: 97058816 exception.instruction_r: fb 68 ce 08 00 00 89 34 24 50 68 fd 57 a0 73 e9 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x16f30e exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1504014 exception.address: 0x1ef30e	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470912 registers.edi: 2030807 registers.eax: 26980 registers.ebp: 4073824276 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2002850 registers.ecx: 14827 exception.instruction_r: fb 55 89 e5 e9 49 f8 ff ff 83 ed 04 e9 23 f7 ff exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x16fb69 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1506153 exception.address: 0x1efb69	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470876 registers.edi: 282849333 registers.eax: 31301 registers.ebp: 4073824276 registers.edx: 2143245 registers.ebx: 1496445634 registers.esi: 2139153 registers.ecx: 4294945017 exception.instruction_r: fb 83 ec 04 89 0c 24 b9 a8 0c 1b 1b 55 e9 75 ff exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x18b542 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1619266 exception.address: 0x20b542	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 282849333 registers.eax: 116969 registers.ebp: 4073824276 registers.edx: 2146870 registers.ebx: 1496445634 registers.esi: 2139153 registers.ecx: 0 exception.instruction_r: fb 68 02 3c db 61 ff 34 24 ff 34 24 e9 c4 06 00 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x18b7d9 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1619929 exception.address: 0x20b7d9	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 282849333 registers.eax: 3516238688 registers.ebp: 4073824276 registers.edx: 2180260 registers.ebx: 284947391 registers.esi: 4294942612 registers.ecx: 4298225 exception.instruction_r: fb 50 89 2c 24 68 00 44 24 7a ff 34 24 5d 81 ec exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x18e065 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1630309 exception.address: 0x20e065	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 3395329102 registers.eax: 26040 registers.ebp: 4073824276 registers.edx: 2180260 registers.ebx: 2182566 registers.esi: 2155604 registers.ecx: 0 exception.instruction_r: fb 29 f6 ff 34 33 53 e9 0b 05 00 00 89 2c 24 e9 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x18eb87 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1633159 exception.address: 0x20eb87	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 3395329102 registers.eax: 26040 registers.ebp: 4073824276 registers.edx: 2180260 registers.ebx: 2182566 registers.esi: 4294943576 registers.ecx: 344543318 exception.instruction_r: fb 53 e9 65 01 00 00 55 e9 ba 04 00 00 55 56 68 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x18e87a exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1632378 exception.address: 0x20e87a	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470876 registers.edi: 3395329102 registers.eax: 2159203 registers.ebp: 4073824276 registers.edx: 2180260 registers.ebx: 2182566 registers.esi: 4294943576 registers.ecx: 2057730981 exception.instruction_r: fb 05 0b 04 7f 7d 51 55 bd b8 3c 36 3d 53 68 36 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x18fa53 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1636947 exception.address: 0x20fa53	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 3395329102 registers.eax: 2187662 registers.ebp: 4073824276 registers.edx: 2180260 registers.ebx: 2182566 registers.esi: 4294943576 registers.ecx: 2057730981 exception.instruction_r: fb 68 10 19 00 00 ff 34 24 ff 34 24 e9 33 00 00 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x18f8f9 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1636601 exception.address: 0x20f8f9	success
1619464027.062 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 457705 registers.eax: 2161998 registers.ebp: 4073824276 registers.edx: 0 registers.ebx: 2182566 registers.esi: 4294943576 registers.ecx: 2057730981 exception.instruction_r: fb e9 ff 01 00 00 33 1c 24 5c fb 68 10 19 00 00 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x18f8ef exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1636591 exception.address: 0x20f8ef	success
1619464027.375 __exception__	stacktrace: registers.esp: 7470876 registers.edi: 457705 registers.eax: 2202071 registers.ebp: 4073824276 registers.edx: 2130378752 registers.ebx: 65802 registers.esi: 4294943576 registers.ecx: 2002452622 exception.instruction_r: fb 51 e9 0c 02 00 00 01 c3 e9 bd fc ff ff 89 da exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x199e9c exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1679004 exception.address: 0x219e9c	success
1619464027.375 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 457705 registers.eax: 2228188 registers.ebp: 4073824276 registers.edx: 2130378752 registers.ebx: 65802 registers.esi: 4294943576 registers.ecx: 2002452622 exception.instruction_r: fb 31 f6 ff 34 06 ff 34 24 e9 f8 03 00 00 01 e8 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x199d43 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1678659 exception.address: 0x219d43	success
1619464027.375 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 457705 registers.eax: 2228188 registers.ebp: 4073824276 registers.edx: 2130378752 registers.ebx: 44777 registers.esi: 4294943548 registers.ecx: 2002452622 exception.instruction_r: fb 68 f9 27 00 00 89 34 24 be 81 72 ae 06 81 f6 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x19a2c4 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1680068 exception.address: 0x21a2c4	success
1619464027.797 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 457705 registers.eax: 81129 registers.ebp: 4073824276 registers.edx: 466 registers.ebx: 4294943188 registers.esi: 2553348 registers.ecx: 2248093 exception.instruction_r: fb 53 68 48 40 56 18 5b c1 eb 02 68 9c 1c 00 00 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x19e761 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1697633 exception.address: 0x21e761	success
1619464027.797 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 457705 registers.eax: 28935 registers.ebp: 4073824276 registers.edx: 466 registers.ebx: 2620413 registers.esi: 5109368 registers.ecx: 2256640 exception.instruction_r: fb e9 86 03 00 00 89 04 24 e9 28 00 00 00 b9 0c exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1a029d exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1704605 exception.address: 0x22029d	success
1619464027.797 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 0 registers.eax: 28935 registers.ebp: 4073824276 registers.edx: 466 registers.ebx: 2277910251 registers.esi: 5109368 registers.ecx: 2230704 exception.instruction_r: fb 56 68 78 44 d9 39 5e 55 51 e9 57 01 00 00 89 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1a0145 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1704261 exception.address: 0x220145	success
1619464027.797 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 186601 registers.eax: 27394 registers.ebp: 4073824276 registers.edx: 1290 registers.ebx: 2237232 registers.esi: 2162829 registers.ecx: 0 exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 e9 7d f5 ff ff bd exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1a2289 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1712777 exception.address: 0x222289	success
1619464027.797 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 2253971 registers.eax: 30178 registers.ebp: 4073824276 registers.edx: 2130566132 registers.ebx: 2002452454 registers.esi: 2237415 registers.ecx: 2299345 exception.instruction_r: fb 68 00 00 00 00 ff 34 24 ff 34 24 8b 14 24 83 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1aa726 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1746726 exception.address: 0x22a726	success
1619464027.797 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 2253971 registers.eax: 2179434839 registers.ebp: 4073824276 registers.edx: 4294940228 registers.ebx: 2002452454 registers.esi: 2237415 registers.ecx: 2299345 exception.instruction_r: fb e9 7f fe ff ff 89 0c 24 e9 24 02 00 00 ff 34 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1aa51c exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1746204 exception.address: 0x22a51c	success
1619464027.797 __exception__	stacktrace: registers.esp: 7470876 registers.edi: 2253971 registers.eax: 27193 registers.ebp: 4073824276 registers.edx: 4294940228 registers.ebx: 469539372 registers.esi: 2272696 registers.ecx: 491564540 exception.instruction_r: fb 83 ec 04 89 04 24 b8 f2 3c cf 23 57 bf 45 6a exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1aae4c exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1748556 exception.address: 0x22ae4c	success
1619464027.797 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 2253971 registers.eax: 0 registers.ebp: 4073824276 registers.edx: 4294940228 registers.ebx: 469539372 registers.esi: 2275493 registers.ecx: 36841 exception.instruction_r: fb 68 60 70 00 00 e9 1f 02 00 00 87 cd e9 e8 fd exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1ab10d exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1749261 exception.address: 0x22b10d	success
1619464027.843 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 9961 registers.eax: 4294940796 registers.ebp: 4073824276 registers.edx: 2130566132 registers.ebx: 2295411 registers.esi: 2352355 registers.ecx: 97058816 exception.instruction_r: fb 68 0c 77 00 00 89 14 24 83 ec 04 89 34 24 68 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1b7376 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1799030 exception.address: 0x237376	success
1619464027.843 __exception__	stacktrace: registers.esp: 7470876 registers.edi: 1344811536 registers.eax: 31300 registers.ebp: 4073824276 registers.edx: 4294941520 registers.ebx: 2343445 registers.esi: 33594192 registers.ecx: 2359441 exception.instruction_r: fb 50 89 14 24 83 ec 04 e9 6e 04 00 00 89 e2 81 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1c057f exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1836415 exception.address: 0x24057f	success
1619464027.843 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 1344811536 registers.eax: 31300 registers.ebp: 4073824276 registers.edx: 4294941520 registers.ebx: 2343445 registers.esi: 33594192 registers.ecx: 2390741 exception.instruction_r: fb 57 52 89 34 24 89 14 24 68 ec 12 af 10 5a 52 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1c0182 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1835394 exception.address: 0x240182	success
1619464027.843 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 1344811536 registers.eax: 0 registers.ebp: 4073824276 registers.edx: 4294941520 registers.ebx: 5097 registers.esi: 33594192 registers.ecx: 2362365 exception.instruction_r: fb 51 57 e9 d1 fd ff ff 68 23 2e 00 00 89 3c 24 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1c06a5 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1836709 exception.address: 0x2406a5	success
1619464027.859 __exception__	stacktrace: registers.esp: 7470876 registers.edi: 1344811536 registers.eax: 30256 registers.ebp: 4073824276 registers.edx: 2376753 registers.ebx: 2364340 registers.esi: 33594192 registers.ecx: 97058816 exception.instruction_r: fb 81 c2 0b 43 00 27 55 bd de 43 08 54 52 ba c3 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1c44c1 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1852609 exception.address: 0x2444c1	success
1619464027.859 __exception__	stacktrace: registers.esp: 7470880 registers.edi: 1344811536 registers.eax: 30256 registers.ebp: 4073824276 registers.edx: 2407009 registers.ebx: 2364340 registers.esi: 33594192 registers.ecx: 97058816 exception.instruction_r: fb 83 ec 04 89 1c 24 89 e3 81 c3 04 00 00 00 83 exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x1c4817 exception.instruction: sti exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1853463 exception.address: 0x244817	success

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1541 个事件)

Time & API	Arguments	Status	Return
1619464027.39 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74511000	success	0
1619464027.39 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75f61000	success	0
1619464027.484 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76541000	success	0
1619464027.484 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1000	success	0
1619464027.484 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e2000	success	0
1619464027.484 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b1000	success	0
1619464027.484 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77860000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74511000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x745112d0	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74761000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75900000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76541000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x765417d0	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x765e1000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f19a8	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e2000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e224c	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a0000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b1000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b1014	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77860000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77860070	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75951000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75c80000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1394	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e1000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74511000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74511188	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74761000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74761350	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75f61000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75f610e4	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76541000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x7654180c	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x765e1000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x765e10ec	failed	3221225477
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a0000	success	0
1619464027.531 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a035c	failed	3221225477
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b1000	success	0
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b11c8	failed	3221225477
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75951000	success	0
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75951198	failed	3221225477
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75c80000	success	0
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75c80270	failed	3221225477
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1000	success	0
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f13a8	failed	3221225477
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e1000	success	0
1619464027.547 NtProtectVirtualMemory	process_identifier: 1068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e124c	failed	3221225477

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619464033.625 GetAdaptersAddresses	flags: 15 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)

entropy

7.889992265297173

section

{'size_of_data': '0x00001c00', 'virtual_address': '0x00002000', 'entropy': 7.889992265297173, 'name': ' \\x00 ', 'virtual_size': '0x00004000'}

description

A section with a high entropy has been found

entropy

7.9531019483510255

section

{'size_of_data': '0x00142800', 'virtual_address': '0x0022c000', 'entropy': 7.9531019483510255, 'name': 'pbmcjser', 'virtual_size': '0x00144000'}

description

A section with a high entropy has been found

entropy

7.2395854009180765

section

{'size_of_data': '0x00000200', 'virtual_address': '0x00370000', 'entropy': 7.2395854009180765, 'name': 'xmdmufqf', 'virtual_size': '0x00002000'}

description

A section with a high entropy has been found

entropy

0.9984609465178915

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619464029.031 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Expresses interest in specific running processes (1 个事件)

process

system

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (17 个事件)

Time & API	Arguments	Status
1619464027.797 FindWindowA	class_name: OLLYDBG window_name:	failed
1619464027.797 FindWindowA	class_name: GBDYLLO window_name:	failed
1619464027.797 FindWindowA	class_name: pediy06 window_name:	failed
1619464027.843 FindWindowA	class_name: FilemonClass window_name:	failed
1619464027.843 FindWindowA	class_name: FilemonClass window_name:	failed
1619464027.843 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1619464027.843 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619464027.843 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1619464027.843 FindWindowA	class_name: RegmonClass window_name:	failed
1619464027.843 FindWindowA	class_name: RegmonClass window_name:	failed
1619464027.843 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1619464027.843 FindWindowA	class_name: 18467-41 window_name:	failed
1619464027.922 FindWindowA	class_name: FilemonClass window_name:	failed
1619464027.922 FindWindowA	class_name: FilemonClass window_name:	failed
1619464027.922 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1619464027.922 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619464027.922 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Steam

reg_value

C:\Users\Administrator.Oskar-PC\AppData\Roaming\NVIDIA\dllhost.exe

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619464026.593 __exception__	stacktrace: registers.esp: 7470912 registers.edi: 5189130 registers.eax: 1447909480 registers.ebp: 4073824276 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 1917346 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 56 54 e9 f2 29 00 00 8b exception.symbol: 4c63a73407440f6c1acd37e6dcbe7677+0x155be3 exception.instruction: in eax, dx exception.module: 4c63a73407440f6c1acd37e6dcbe7677.exe exception.exception_code: 0xc0000096 exception.offset: 1399779 exception.address: 0x1d5be3	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.34390313
McAfee	Artemis!4C63A7340744
Cylance	Unsafe
Zillya	Trojan.Themida.Win32.55146
K7AntiVirus	Trojan ( 00559c3c1 )
Alibaba	Trojan:Win32/CryptInject.97a0c058
K7GW	Trojan ( 00559c3c1 )
Cybereason	malicious.407440
Arcabit	Trojan.Generic.D20CC129
Invincea	Mal/Generic-S
Cyren	W32/Trojan.SUEP-4120
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Packed.Themida.HAG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.34390313
NANO-Antivirus	Trojan.Win32.ClipBankerNET.hsisau
ViRobot	Trojan.Win32.Z.Themida.1338880
Avast	Win32:Trojan-gen
Tencent	Win32.Trojan.Generic.Pepv
Ad-Aware	Trojan.GenericKD.34390313
F-Secure	Trojan.TR/Crypt.TPM.Gen
DrWeb	Trojan.ClipBankerNET.14
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WHK20
FireEye	Generic.mg.4c63a73407440f6c
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Jiangmin	Trojan.Generic.gcuun
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=88)
Antiy-AVL	Trojan[Packed]/Win32.Themida
Microsoft	Trojan:Win32/CryptInject!MSR
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKD.34390313
Cynet	Malicious (score: 100)
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34216.rz0aaKojhhf
ALYac	Trojan.Clipbanker.A
Malwarebytes	Spyware.Exya
TrendMicro-HouseCall	TROJ_GEN.R002C0WHK20
Rising	Trojan.Generic@ML.100 (RDML:iwO9OK1r6e82/xzd32YfHA)
Ikarus	Trojan.Win32.Themida
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/PossibleThreat
AVG	Win32:Trojan-gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)

dead_host	172.217.24.14:443
dead_host	108.160.169.54:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-15 02:27:00

Imports

Library kernel32.dll:

• 0x408033 lstrcpy

Library comctl32.dll:

• 0x40803b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.24.14
www.google.com	A 108.160.169.54 A 157.240.17.50
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.