SmartHawk

8.2

高危

59 个模型检测该样本为恶意！

重新分析

下载样本

7b63fe3a66c0833d20f06690f55fc6d6d6f337c3c3ced53076a498d6ae1556be

4cb05f749bae8d5b1906c4cdd4a8ff68.exe

分析耗时

116s

最近分析

文件大小

805.5KB

静态报毒动态报毒 100% 4DHETZR3SQC AGENERIC AGENTB AI SCORE=88 AIDETECTVM ATMN ATTRIBUTE CONFIDENCE DARKCOMET DYAMAR FBQUHJ GENCIRC GENERICRXJS GENETIC HIGH CONFIDENCE HIGHCONFIDENCE JACARD JRHY KCLOUD MALICIOUS PE MALWARE2 MALWARE@#33KIL1QRXB7ZW MINT OPTIX QQPASS SCAR SCORE SNEAKY STATIC AI UNSAFE W2000M YO0@AOTWKOJG Z6DK7KDLQZI ZEXAF ZOREX 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXJS-ZR!4CB05F749BAE	20201211	6.0.6.653
Alibaba	Worm:Win32/Agentb.6e6a459e	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Zorex-E [Wrm]	20201210	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10b8614a	20201211	1.0.0.1
Kingsoft	Win32.Troj.Agentb.jr.(kcloud)	20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619521161.138501 IsDebuggerPresent		failed	0	0
1619521161.138501 IsDebuggerPresent		failed	0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 个事件)

section	CODE
section	DATA
section	BSS
section	.code

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

DYA2IMAGES

One or more processes crashed (5 个事件)

Time & API	Arguments	Status
1619521160.950501 __exception__	stacktrace: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xed239 @ 0x4ed239 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 registers.esp: 1635952 registers.edi: 5538008 registers.eax: 1 registers.ebp: 1635992 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1637212 registers.ecx: 1486012536 exception.instruction_r: eb 09 33 c0 40 c3 8b 65 e8 33 c0 c7 45 fc fe ff exception.symbol: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xe62fc exception.instruction: jmp 0x4e6307 exception.module: 4cb05f749bae8d5b1906c4cdd4a8ff68.exe exception.exception_code: 0x80000004 exception.offset: 942844 exception.address: 0x4e62fc	success
1619521161.138501 __exception__	stacktrace: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xed262 @ 0x4ed262 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 registers.esp: 1635948 registers.edi: 5538008 registers.eax: 1635976 registers.ebp: 1635992 registers.edx: 155 registers.ebx: 0 registers.esi: 1 registers.ecx: 156 exception.instruction_r: cc c3 cc cc cc cc cc 8b ff 55 8b ec 83 ec 58 a1 exception.symbol: DebugBreak+0x2 OutputDebugStringA-0x26f kernelbase+0x122a1 exception.instruction: int3 exception.module: KERNELBASE.dll exception.exception_code: 0x80000003 exception.offset: 74401 exception.address: 0x778f22a1	success
1619521161.138501 __exception__	stacktrace: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xed286 @ 0x4ed286 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 registers.esp: 1635952 registers.edi: 5538008 registers.eax: 1 registers.ebp: 1635992 registers.edx: 582600 registers.ebx: 0 registers.esi: 1637212 registers.ecx: 0 exception.instruction_r: cc eb 19 8b 45 ec 8b 00 8b 00 33 c9 3d 03 00 00 exception.symbol: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xe609b exception.instruction: int3 exception.module: 4cb05f749bae8d5b1906c4cdd4a8ff68.exe exception.exception_code: 0x80000003 exception.offset: 942235 exception.address: 0x4e609b	success
1619521161.138501 __exception__	stacktrace: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xed344 @ 0x4ed344 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 registers.esp: 1635952 registers.edi: 5538008 registers.eax: 1 registers.ebp: 1635992 registers.edx: 5914152 registers.ebx: 0 registers.esi: 1637212 registers.ecx: 36317144 exception.instruction_r: 0f 3f 07 0b c7 45 fc ff ff ff ff c7 45 fc fe ff exception.symbol: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xe7eb6 exception.address: 0x4e7eb6 exception.module: 4cb05f749bae8d5b1906c4cdd4a8ff68.exe exception.exception_code: 0xc000001d exception.offset: 949942	success
1619521161.153501 __exception__	stacktrace: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xed356 @ 0x4ed356 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 registers.esp: 1635944 registers.edi: 5538008 registers.eax: 1447909480 registers.ebp: 1635992 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 1637212 registers.ecx: 10 exception.instruction_r: ed 89 5d e4 5b c7 45 fc fe ff ff ff 33 c0 81 7d exception.symbol: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xe7f3a exception.instruction: in eax, dx exception.module: 4cb05f749bae8d5b1906c4cdd4a8ff68.exe exception.exception_code: 0xc0000096 exception.offset: 950074 exception.address: 0x4e7f3a	success

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:744799746&cup2hreq=44ddbc93ef43d0330e381bfb2f3aec94816eb3f3966ceed8ccf63de2c144bbeb

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8e3e4e5f85b80c4&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:744799746&cup2hreq=44ddbc93ef43d0330e381bfb2f3aec94816eb3f3966ceed8ccf63de2c144bbeb

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:744799746&cup2hreq=44ddbc93ef43d0330e381bfb2f3aec94816eb3f3966ceed8ccf63de2c144bbeb

Allocates read-write-execute memory (usually to unpack itself) (48 个事件)

Time & API	Arguments	Status
1619521160.434501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 499712 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004dc000	success
1619521160.434501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 679936 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004b0000	success
1619521160.434501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.434501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521160.434501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.434501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521160.434501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.434501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521160.497501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.497501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521160.497501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.497501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521160.622501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.622501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521160.669501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.669501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521160.669501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.669501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521160.856501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00537000	success
1619521160.856501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0051e000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 311296 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 630784 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 630784 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0049b000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.684501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.700501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.700501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.700501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.700501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.700501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.700501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.700501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.700501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.731501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.731501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.778501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.778501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.778501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.809501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521161.950501 NtProtectVirtualMemory	process_identifier: 2032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004a0000	success
1619521162.169501 NtAllocateVirtualMemory	process_identifier: 2032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00580000	success

Foreign language identified in PE resource (11 个事件)

name

RT_ICON

language

LANG_TURKISH

offset

0x0015dab0

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

size

0x000010a8

name

RT_ICON

language

LANG_TURKISH

offset

0x0015dab0

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

size

0x000010a8

name

RT_RCDATA

language

LANG_TURKISH

offset

0x00167270

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

offset

0x00167270

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

offset

0x00167270

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

offset

0x00167270

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

offset

0x00167270

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

offset

0x00167270

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

offset

0x00167270

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

size

0x000047d3

name

RT_GROUP_ICON

language

LANG_TURKISH

offset

0x0016bad0

filetype

data

sublanguage

SUBLANG_DEFAULT

size

0x00000014

name

RT_VERSION

language

LANG_TURKISH

offset

0x0016bae4

filetype

data

sublanguage

SUBLANG_DEFAULT

size

0x00000304

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619521161.138501 Process32NextW	process_name: $ snapshot_handle: 0x000000d4 process_identifier: 36	failed	0	0

The binary likely contains encrypted or compressed data indicative of a packer (5 个事件)

entropy

7.999344808935027

section

{'size_of_data': '0x0004b800', 'virtual_address': '0x00001000', 'entropy': 7.999344808935027, 'name': 'CODE', 'virtual_size': '0x0009a000'}

description

A section with a high entropy has been found

entropy

7.535055460711328

section

{'size_of_data': '0x00001600', 'virtual_address': '0x0009b000', 'entropy': 7.535055460711328, 'name': 'DATA', 'virtual_size': '0x00003000'}

description

A section with a high entropy has been found

entropy

7.614400515515375

section

{'size_of_data': '0x00001200', 'virtual_address': '0x000a0000', 'entropy': 7.614400515515375, 'name': '.idata', 'virtual_size': '0x00003000'}

description

A section with a high entropy has been found

entropy

7.333895264693002

section

{'size_of_data': '0x0005a800', 'virtual_address': '0x000b0000', 'entropy': 7.333895264693002, 'name': '.code', 'virtual_size': '0x000a6000'}

description

A section with a high entropy has been found

entropy

0.8377874456183965

description

Overall entropy of this PE file is high

Creates an Alternate Data Stream (ADS) (5 个事件)

file	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFX69KP6FJDB96GLK0M060BPBGLPFSVF7JB4VPJGV
file	C:\ProgramData\DYA_RFVEFSPQPULUKLRTH\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFX69KP6FJDB96GLK0M060BPBGLPFSVF7JB4VPJGV
file	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFX69KP6FJDB96GLK0M060BPBGLPFSVF7JB4VPJGV
file	C:\ProgramData:$SS_DESCRIPTOR_
file	C:\ProgramData\DYA_RFVEFSPQPULUKLRTH\1.0.0:$SS_DESCRIPTOR_

Checks for the presence of known devices from debuggers and forensic tools (8 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE
file	\??\REGVXG
file	\??\FILEVXG
file	\??\REGSYS
file	\??\FILEM
file	\??\TRW

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver

reg_value

C:\ProgramData\Synaptics\Synaptics.exe

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619521161.153501 __exception__	stacktrace: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xed356 @ 0x4ed356 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126 registers.esp: 1635944 registers.edi: 5538008 registers.eax: 1447909480 registers.ebp: 1635992 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 1637212 registers.ecx: 10 exception.instruction_r: ed 89 5d e4 5b c7 45 fc fe ff ff ff 33 c0 81 7d exception.symbol: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xe7f3a exception.instruction: in eax, dx exception.module: 4cb05f749bae8d5b1906c4cdd4a8ff68.exe exception.exception_code: 0xc0000096 exception.offset: 950074 exception.address: 0x4e7f3a	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619521161.153501
__exception__

stacktrace:

4cb05f749bae8d5b1906c4cdd4a8ff68+0xed356 @ 0x4ed356
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126
RtlAllocateHeap+0x100 RtlInitString-0x72 ntdll+0x2e126 @ 0x77d5e126

registers.esp: 1635944
registers.edi: 5538008
registers.eax: 1447909480
registers.ebp: 1635992
registers.edx: 22104
registers.ebx: 2256917605
registers.esi: 1637212
registers.ecx: 10
exception.instruction_r: ed 89 5d e4 5b c7 45 fc fe ff ff ff 33 c0 81 7d
exception.symbol: 4cb05f749bae8d5b1906c4cdd4a8ff68+0xe7f3a
exception.instruction: in eax, dx
exception.module: 4cb05f749bae8d5b1906c4cdd4a8ff68.exe
exception.exception_code: 0xc0000096
exception.offset: 950074
exception.address: 0x4e7f3a

success

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.24.14:443

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.SP.Sneaky.1
FireEye	Generic.mg.4cb05f749bae8d5b
CAT-QuickHeal	Trojan.Jacard
McAfee	GenericRXJS-ZR!4CB05F749BAE
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.1218491
Sangfor	Malware
K7AntiVirus	Riskware ( 004bbc081 )
Alibaba	Worm:Win32/Agentb.6e6a459e
K7GW	Riskware ( 004bbc081 )
Cybereason	malicious.b5615f
Arcabit	HEUR.VBA.Trojan.d
BitDefenderTheta	Gen:NN.ZexaF.34670.YO0@aOTwkOjG
Cyren	PP97M/Script.gen
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Zorex-E [Wrm]
ClamAV	Xls.Dropper.Agent-7382066-0
Kaspersky	Trojan.Win32.Agentb.jrhy
BitDefender	Gen:Heur.Mint.SP.Sneaky.1
NANO-Antivirus	Trojan.Win32.Optix.fbquhj
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.10b8614a
Ad-Aware	Gen:Heur.Mint.SP.Sneaky.1
Emsisoft	Gen:Heur.Mint.SP.Sneaky.1 (B)
Comodo	Malware@#33kil1qrxb7zw
F-Secure	Trojan:W97M/MaliciousMacro.GEN
DrWeb	BackDoor.Optix.567
VIPRE	Worm.Win32.AutoRun
TrendMicro	Backdoor.Win32.DARKCOMET.ENF
McAfee-GW-Edition	GenericRXJS-ZR!4CB05F749BAE
Sophos	Troj/DocDl-JJH
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Agentb.gig
Avira	W2000M/Dldr.Agent.17651006
MAX	malware (ai score=88)
Antiy-AVL	Trojan[Downloader]/Script.AGeneric
Kingsoft	Win32.Troj.Agentb.jr.(kcloud)
Gridinsoft	Trojan.Win32.Agent.bot!s1
Microsoft	Worm:Win32/AutoRun!atmn
AegisLab	Trojan.Win32.Agentb.4!c
ZoneAlarm	Trojan.Win32.Agentb.jrhy
GData	Gen:Heur.Mint.SP.Sneaky.1
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.C3663493
VBA32	Trojan.Agentb
Malwarebytes	Trojan.Agent
ESET-NOD32	a variant of Win32/RiskWare.DYAMAR.B

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.dll:

• 0x557000 ResetEvent

• 0x557004 CreateThread

• 0x557008 LoadLibraryA

• 0x55700c FindResourceA

• 0x557010 GetModuleHandleA

• 0x557014 LocalAlloc

• 0x557018 LocalFree

• 0x55701c GetCommandLineW

• 0x557020 GlobalAlloc

• 0x557024 GlobalFree

• 0x557028 SetEvent

• 0x55702c CreateProcessA

• 0x557030 ExitProcess

• 0x557034 GetTickCount

Library USER32.dll:

• 0x55703c GetClientRect

• 0x557040 GetWindowRect

• 0x557044 BeginDeferWindowPos

• 0x557048 DeferWindowPos

• 0x55704c EndDeferWindowPos

• 0x557050 ShowWindow

• 0x557054 UpdateWindow

• 0x557058 CreateWindowExA

• 0x55705c LoadBitmapA

• 0x557060 SendMessageA

• 0x557064 DestroyWindow

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com	172.217.160.78
redirector.gvt1.com	A 203.208.41.65	203.208.41.33
update.googleapis.com	A 203.208.41.34	203.208.40.98
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49196	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49197	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49193	203.208.41.34 update.googleapis.com	443
192.168.56.101	49195	203.208.41.65 redirector.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	54260	114.114.114.114	53
192.168.56.101	54991	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8e3e4e5f85b80c4&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8e3e4e5f85b80c4&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8e3e4e5f85b80c4&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8e3e4e5f85b80c4&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619491701&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.