SmartHawk

5.2

中危

59 个模型检测该样本为恶意！

重新分析

下载样本

0ec947a4f30a6ad7d055c72f5d6c1ffe7a538349f41e8156e9aa5c7a8b0d7811

5a5c745bf3e97fe2be01880132662f28.exe

分析耗时

76s

最近分析

文件大小

291.5KB

静态报毒动态报毒 100% AI SCORE=100 AIDETECTVM ATTRIBUTE CKGENERIC CLOUD CONFIDENCE GENCIRC GENERICKD GENERICRXAA HIGH CONFIDENCE HIGHCONFIDENCE HKEJNV JIGSAW JIGSAWLOCKER KRYPTIK MALICIOUS PE MALWARE1 MALWARE@#BE2LA2745P78 MIII MPOND R340351 SCORE SIGGEN2 SQ0@AAQW4YO SUSGEN THEAEBO TIGGRE UNSAFE WPSN XADUET ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXAA-AA!5A5C745BF3E9	20200630	6.0.6.653
Alibaba	Trojan:Win32/Kryptik.dbdc294f	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20200630	18.4.3895.0
Kingsoft		20200630	2013.8.14.323
Tencent	Malware.Win32.Gencirc.117550af	20200630	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513307.584952 IsDebuggerPresent		failed	0	0
1619539154.686375 IsDebuggerPresent		failed	0	0

Uses Windows APIs to generate a cryptographic key (12 个事件)

Time & API	Arguments	Status	Return
1619513308.193952 CryptExportKey	crypto_handle: 0x005fdeb0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619513308.209952 CryptExportKey	crypto_handle: 0x00601f20 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619513308.834952 CryptExportKey	crypto_handle: 0x00602020 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619513308.834952 CryptExportKey	crypto_handle: 0x00602020 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619513309.131952 CryptExportKey	crypto_handle: 0x00602120 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619513309.318952 CryptExportKey	crypto_handle: 0x00602120 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619539154.811375 CryptExportKey	crypto_handle: 0x005d1768 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619539154.811375 CryptExportKey	crypto_handle: 0x005d3b48 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619539154.952375 CryptExportKey	crypto_handle: 0x005d3c48 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619539154.952375 CryptExportKey	crypto_handle: 0x005d3c48 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619539155.092375 CryptExportKey	crypto_handle: 0x005d3c48 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619539155.561375 CryptExportKey	crypto_handle: 0x005d3c48 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

This executable has a PDB path (1 个事件)

pdb_path

One or more processes crashed (50 out of 78 个事件)

Time & API	Arguments	Status
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1637008 registers.edi: 4350244 registers.eax: 0 registers.ebp: 1637024 registers.edx: 0 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 12 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xf048 exception.instruction: stosb byte ptr es:[edi], al exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61512 exception.address: 0x40f048	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4353968 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1198 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4358064 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1166 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4362160 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1134 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4366256 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1102 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4370352 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1070 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4374448 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1038 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4378544 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1006 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4382640 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 974 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4386736 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 942 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4390832 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 910 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4394928 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 878 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4399024 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 846 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4403120 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 814 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4407216 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 782 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4411312 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 750 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4415408 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 718 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.693952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4419504 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 686 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4423600 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 654 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4427696 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 622 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4431792 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 590 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4435888 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 558 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4439984 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 526 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4444080 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 494 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4448176 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 462 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4452272 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 430 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4456368 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 398 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4460464 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 366 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4464560 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 334 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4468656 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 302 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4472752 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 270 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4476848 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 238 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4480944 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 206 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4485040 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 174 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4489136 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 142 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4493232 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 110 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4497328 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 78 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4501424 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 46 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619513306.709952 __exception__	stacktrace: 5a5c745bf3e97fe2be01880132662f28+0xf014 @ 0x40f014 5a5c745bf3e97fe2be01880132662f28+0xf060 @ 0x40f060 5a5c745bf3e97fe2be01880132662f28+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4505520 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 14 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: 5a5c745bf3e97fe2be01880132662f28+0xefbf exception.address: 0x40efbf exception.module: 5a5c745bf3e97fe2be01880132662f28.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.546375 __exception__	stacktrace: drpbx+0x1f28 @ 0x401f28 registers.esp: 1637008 registers.edi: 4350244 registers.eax: 0 registers.ebp: 1637024 registers.edx: 0 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 12 exception.instruction_r: f3 aa 8b 45 f0 8b 4d 08 8b 55 10 03 c8 2b d0 52 exception.symbol: drpbx+0xf048 exception.instruction: stosb byte ptr es:[edi], al exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61512 exception.address: 0x40f048	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4353968 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1198 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4358064 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1166 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4362160 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1134 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4366256 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1102 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4370352 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1070 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4374448 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1038 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4378544 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 1006 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4382640 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 974 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4386736 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 942 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success
1619539154.561375 __exception__	stacktrace: drpbx+0xf014 @ 0x40f014 drpbx+0xf060 @ 0x40f060 drpbx+0x1f28 @ 0x401f28 registers.esp: 1636952 registers.edi: 4390832 registers.eax: 4350256 registers.ebp: 1636956 registers.edx: 125 registers.ebx: 4350244 registers.esi: 4350244 registers.ecx: 910 exception.instruction_r: 66 0f 7f 47 50 66 0f 7f 47 60 66 0f 7f 47 70 8d exception.symbol: drpbx+0xefbf exception.address: 0x40efbf exception.module: drpbx.exe exception.exception_code: 0xc0000005 exception.offset: 61375	success

Allocates read-write-execute memory (usually to unpack itself) (50 out of 76 个事件)

Time & API	Arguments	Status
1619513306.787952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02290000	success
1619513306.787952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022e0000	success
1619513307.443952 NtProtectVirtualMemory	process_identifier: 368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619513307.584952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007fa000	success
1619513307.584952 NtProtectVirtualMemory	process_identifier: 368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619513307.584952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f2000	success
1619513307.927952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02202000	success
1619513308.006952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022e1000	success
1619513308.052952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022e2000	success
1619513308.162952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02222000	success
1619513308.162952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0222c000	success
1619513308.271952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022e4000	success
1619513308.302952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02203000	success
1619513308.302952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0220c000	success
1619513308.302952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022e5000	success
1619513308.302952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022e7000	success
1619513308.459952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046e0000	success
1619513308.771952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02204000	success
1619513308.771952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02205000	success
1619513308.818952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0223b000	success
1619513308.818952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02237000	success
1619513308.834952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02206000	success
1619513308.834952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0222a000	success
1619513308.849952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02207000	success
1619513308.974952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046e1000	success
1619513308.990952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046ea000	success
1619513309.037952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0220a000	success
1619513309.131952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007fb000	success
1619513309.209952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02216000	success
1619513309.209952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0221a000	success
1619513309.209952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02217000	success
1619513309.209952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x022e9000	success
1619513309.224952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04960000	success
1619513309.224952 NtProtectVirtualMemory	process_identifier: 368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x750e5000	success
1619513309.256952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02208000	success
1619513309.256952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046eb000	success
1619513309.318952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046ec000	success
1619513309.490952 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046ef000	success
1619539154.592375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x026d0000	success
1619539154.592375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028c0000	success
1619539154.655375 NtProtectVirtualMemory	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1619539154.686375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007fa000	success
1619539154.686375 NtProtectVirtualMemory	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1619539154.686375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007f2000	success
1619539154.764375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00802000	success
1619539154.780375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028c1000	success
1619539154.780375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028c2000	success
1619539154.780375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00822000	success
1619539154.780375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0082c000	success
1619539154.827375 NtAllocateVirtualMemory	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028c4000	success

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.99622666686615

section

{'size_of_data': '0x00026e00', 'virtual_address': '0x00026000', 'entropy': 7.99622666686615, 'name': '.rsrc', 'virtual_size': '0x00026c34'}

description

A section with a high entropy has been found

entropy

0.5352839931153184

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513309.084952 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619539155.077375 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (2 个事件)

host	124.229.53.1
host	172.217.24.14

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe

reg_value

C:\Users\Administrator.Oskar-PC\AppData\Roaming\Frfx\firefox.exe

Generates some ICMP traffic

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)

Bkav	W32.AIDetectVM.malware1
MicroWorld-eScan	Trojan.GenericKD.43167265
FireEye	Generic.mg.5a5c745bf3e97fe2
CAT-QuickHeal	Trojan.CKGENERIC
Qihoo-360	Win32/Trojan.67e
McAfee	GenericRXAA-AA!5A5C745BF3E9
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.1336597
Sangfor	Malware
K7AntiVirus	Trojan ( 00566ccf1 )
Alibaba	Trojan:Win32/Kryptik.dbdc294f
K7GW	Trojan ( 00566ccf1 )
Cybereason	malicious.d379fc
Invincea	heuristic
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Trojan.Win32.Agent.xaduet
BitDefender	Trojan.GenericKD.43167265
NANO-Antivirus	Trojan.Win32.Kryptik.hkejnv
Paloalto	generic.ml
AegisLab	Trojan.Win32.Generic.miii
Rising	Ransom.JigsawLocker!8.52DD (CLOUD)
Endgame	malicious (high confidence)
Emsisoft	Trojan.Agent (A)
Comodo	Malware@#be2la2745p78
F-Secure	Trojan.TR/AD.Jigsaw.mpond
DrWeb	BackDoor.Siggen2.3177
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Ransom.Win32.JIGSAW.THEAEBO
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Cyren	W32/Trojan.WPSN-8873
Webroot	W32.Trojan.Gen
Avira	TR/AD.Jigsaw.mpond
Antiy-AVL	Trojan/Win32.Agent
Microsoft	Ransom:MSIL/JigsawLocker.A
Arcabit	Trojan.Generic.D292AE21
ViRobot	Trojan.Win32.S.Agent.298496.BE
ZoneAlarm	Trojan.Win32.Agent.xaduet
GData	Trojan.GenericKD.43167265
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Generic.R340351
Acronis	suspicious
VBA32	Trojan.Tiggre
ALYac	Trojan.Ransom.Jigsaw
MAX	malware (ai score=100)
Ad-Aware	Trojan.GenericKD.43167265
Malwarebytes	Ransom.Jigsaw
ESET-NOD32	a variant of MSIL/Kryptik.VYD

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-15 10:25:48

Imports

Library KERNEL32.dll:

• 0x41b000 RaiseException

• 0x41b004 GetLastError

• 0x41b008 MultiByteToWideChar

• 0x41b00c lstrlenA

• 0x41b010 InterlockedDecrement

• 0x41b014 GetProcAddress

• 0x41b018 LoadLibraryA

• 0x41b01c FreeResource

• 0x41b020 SizeofResource

• 0x41b024 LockResource

• 0x41b028 LoadResource

• 0x41b02c FindResourceA

• 0x41b030 GetModuleHandleA

• 0x41b034 Module32Next

• 0x41b038 CloseHandle

• 0x41b03c Module32First

• 0x41b040 CreateToolhelp32Snapshot

• 0x41b044 GetCurrentProcessId

• 0x41b048 SetEndOfFile

• 0x41b04c GetStringTypeW

• 0x41b050 GetStringTypeA

• 0x41b054 LCMapStringW

• 0x41b058 LCMapStringA

• 0x41b05c GetLocaleInfoA

• 0x41b060 CreateFileA

• 0x41b064 HeapFree

• 0x41b068 GetProcessHeap

• 0x41b06c HeapAlloc

• 0x41b070 GetCommandLineA

• 0x41b074 HeapCreate

• 0x41b078 VirtualFree

• 0x41b07c DeleteCriticalSection

• 0x41b080 LeaveCriticalSection

• 0x41b084 EnterCriticalSection

• 0x41b088 VirtualAlloc

• 0x41b08c HeapReAlloc

• 0x41b090 HeapSize

• 0x41b094 TerminateProcess

• 0x41b098 GetCurrentProcess

• 0x41b09c UnhandledExceptionFilter

• 0x41b0a0 SetUnhandledExceptionFilter

• 0x41b0a4 IsDebuggerPresent

• 0x41b0a8 GetModuleHandleW

• 0x41b0ac Sleep

• 0x41b0b0 ExitProcess

• 0x41b0b4 WriteFile

• 0x41b0b8 GetStdHandle

• 0x41b0bc GetModuleFileNameA

• 0x41b0c0 WideCharToMultiByte

• 0x41b0c4 GetConsoleCP

• 0x41b0c8 GetConsoleMode

• 0x41b0cc ReadFile

• 0x41b0d0 TlsGetValue

• 0x41b0d4 TlsAlloc

• 0x41b0d8 TlsSetValue

• 0x41b0dc TlsFree

• 0x41b0e0 InterlockedIncrement

• 0x41b0e4 SetLastError

• 0x41b0e8 GetCurrentThreadId

• 0x41b0ec FlushFileBuffers

• 0x41b0f0 SetFilePointer

• 0x41b0f4 SetHandleCount

• 0x41b0f8 GetFileType

• 0x41b0fc GetStartupInfoA

• 0x41b100 RtlUnwind

• 0x41b104 FreeEnvironmentStringsA

• 0x41b108 GetEnvironmentStrings

• 0x41b10c FreeEnvironmentStringsW

• 0x41b110 GetEnvironmentStringsW

• 0x41b114 QueryPerformanceCounter

• 0x41b118 GetTickCount

• 0x41b11c GetSystemTimeAsFileTime

• 0x41b120 InitializeCriticalSectionAndSpinCount

• 0x41b124 GetCPInfo

• 0x41b128 GetACP

• 0x41b12c GetOEMCP

• 0x41b130 IsValidCodePage

• 0x41b134 CompareStringA

• 0x41b138 CompareStringW

• 0x41b13c SetEnvironmentVariableA

• 0x41b140 WriteConsoleA

• 0x41b144 GetConsoleOutputCP

• 0x41b148 WriteConsoleW

• 0x41b14c SetStdHandle

Library ole32.dll:

• 0x41b184 OleInitialize

Library OLEAUT32.dll:

• 0x41b154 VariantInit

• 0x41b158 SafeArrayCreate

• 0x41b15c SafeArrayAccessData

• 0x41b160 SafeArrayUnaccessData

• 0x41b164 SafeArrayDestroy

• 0x41b168 SafeArrayCreateVector

• 0x41b16c VariantClear

• 0x41b170 SysFreeString

• 0x41b174 SysAllocString

Library mscoree.dll:

• 0x41b17c CorBindToRuntimeEx

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.