8.0
高危

af5ae0aba04ac65ee90d3f34c0fa2b98eb4313e83772c8fca9f38768766088a6

678bfc0629a49c5f861ebc7dde57a1a9.exe

分析耗时

87s

最近分析

文件大小

2.4MB
静态报毒 动态报毒 0NA103EF20 AFAK AI SCORE=82 ARTEMIS ATTRIBUTE BA0AAMV5POJ CLOUD CONFIDENCE GGAUND HFSAUTOB HIGH CONFIDENCE HIGHCONFIDENCE KUDJ MALICIOUS PE NHSPK PHPW POSSIBLETHREAT SCORE STRICTOR SUSGEN THEMIDA TIGGRE TSCOPE UNSAFE WPJV ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!678BFC0629A4 20200516 6.0.6.653
Alibaba TrojanDownloader:Win32/Themida.7c3482ed 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft 20200516 2013.8.14.323
Tencent Win32.Trojan-downloader.Phpw.Wpjv 20200516 1.0.0.1
Avast Win32:Trojan-gen 20200516 18.4.3895.0
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620967852.052876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (3 个事件)
Time & API Arguments Status Return Repeated
1620967848.318876
IsDebuggerPresent
failed 0 0
1620967849.818876
IsDebuggerPresent
failed 0 0
1620967849.818876
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620967849.896876
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)
section \x00
section .idata
section
section cdyixdws
section ivbzcdhv
One or more processes crashed (50 out of 120 个事件)
Time & API Arguments Status Return Repeated
1620967846.990876
__exception__
stacktrace:
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 8912600
registers.edi: 0
registers.eax: 1
registers.ebp: 8912616
registers.edx: 7356416
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x3a20b9
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3809465
exception.address: 0x5520b9
success 0 0
1620967846.990876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912560
registers.edi: 0
registers.eax: 1773568
registers.ebp: 3992821780
registers.edx: 1024000
registers.ebx: 4096
registers.esi: 0
registers.ecx: 1024000
exception.instruction_r: 66 81 38 4d 5a 75 0e 0f b7 50 3c 01 c2 81 3a 50
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0xfb9ab
exception.instruction: cmp word ptr [eax], 0x5a4d
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000005
exception.offset: 1030571
exception.address: 0x2ab9ab
success 0 0
1620967846.990876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912564
registers.edi: 2801075
registers.eax: 32669
registers.ebp: 3992821780
registers.edx: 1769472
registers.ebx: 23128
registers.esi: 3
registers.ecx: 1983315968
exception.instruction_r: fb 56 be 0e 45 7b 3f 4e 81 c6 27 61 dd 7f 52 ba
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0xfbeed
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 1031917
exception.address: 0x2abeed
success 0 0
1620967846.990876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 2833744
registers.eax: 32669
registers.ebp: 3992821780
registers.edx: 1769472
registers.ebx: 4294937620
registers.esi: 235753
registers.ecx: 1983315968
exception.instruction_r: fb 50 89 e0 05 04 00 00 00 2d 04 00 00 00 33 04
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0xfc117
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 1032471
exception.address: 0x2ac117
success 0 0
1620967846.990876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 2833744
registers.eax: 26627
registers.ebp: 3992821780
registers.edx: 2832044
registers.ebx: 1846614041
registers.esi: 235753
registers.ecx: 835526728
exception.instruction_r: fb 31 c0 e9 90 f7 ff ff 81 f5 8a 68 f4 6b e9 71
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0xfd82f
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 1038383
exception.address: 0x2ad82f
success 0 0
1620967846.990876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 2833744
registers.eax: 4294943224
registers.ebp: 3992821780
registers.edx: 2832044
registers.ebx: 1846614041
registers.esi: 235753
registers.ecx: 1259
exception.instruction_r: fb e9 59 05 00 00 ff 74 24 04 58 8f 04 24 5c 81
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0xfd0ec
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 1036524
exception.address: 0x2ad0ec
success 0 0
1620967846.990876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912564
registers.edi: 2840549
registers.eax: 27050
registers.ebp: 3992821780
registers.edx: 2795653
registers.ebx: 966656
registers.esi: 4344493
registers.ecx: 3346464768
exception.instruction_r: fb 55 bd 8b 83 e5 7f 81 c5 cd 9b 94 df 81 c6 db
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2752d4
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2577108
exception.address: 0x4252d4
success 0 0
1620967846.990876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 2840549
registers.eax: 27050
registers.ebp: 3992821780
registers.edx: 2795653
registers.ebx: 966656
registers.esi: 4371543
registers.ecx: 3346464768
exception.instruction_r: fb 31 c9 ff 34 31 ff 34 24 ff 34 24 8b 14 24 81
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x275300
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2577152
exception.address: 0x425300
success 0 0
1620967847.005876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 2840549
registers.eax: 27050
registers.ebp: 3992821780
registers.edx: 604292951
registers.ebx: 966656
registers.esi: 4371543
registers.ecx: 4294943352
exception.instruction_r: fb 56 be 40 fe 7b 4f e9 f7 06 00 00 01 c3 81 eb
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x274c64
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2575460
exception.address: 0x424c64
success 0 0
1620967847.005876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912564
registers.edi: 2840549
registers.eax: 30978
registers.ebp: 3992821780
registers.edx: 4367057
registers.ebx: 327685
registers.esi: 4371543
registers.ecx: 5
exception.instruction_r: fb 57 bf 8d b1 ff 5f f7 d7 81 e7 cc 26 fa 7f e9
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x27a862
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2599010
exception.address: 0x42a862
success 0 0
1620967847.005876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 2840549
registers.eax: 30978
registers.ebp: 3992821780
registers.edx: 4398035
registers.ebx: 327685
registers.esi: 4371543
registers.ecx: 5
exception.instruction_r: fb 51 52 89 24 24 83 04 24 04 59 e9 17 f9 ff ff
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x27aa04
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2599428
exception.address: 0x42aa04
success 0 0
1620967847.005876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 50665
registers.eax: 30978
registers.ebp: 3992821780
registers.edx: 4370135
registers.ebx: 327685
registers.esi: 0
registers.ecx: 5
exception.instruction_r: fb 50 56 e9 99 02 00 00 5d 81 e9 8b 56 ff 77 81
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x27a40f
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2597903
exception.address: 0x42a40f
success 0 0
1620967847.021876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 4294939520
registers.eax: 30720
registers.ebp: 3992821780
registers.edx: 1114345
registers.ebx: 4372124
registers.esi: 0
registers.ecx: 4430035
exception.instruction_r: fb 50 89 14 24 89 34 24 53 c7 04 24 f9 a0 cf 55
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x28271e
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2631454
exception.address: 0x43271e
success 0 0
1620967847.037876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912560
registers.edi: 4294939520
registers.eax: 1447909480
registers.ebp: 3992821780
registers.edx: 22104
registers.ebx: 1983254709
registers.esi: 4406423
registers.ecx: 20
exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 c7 02 00 00 83 ea 04
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x283d9e
exception.instruction: in eax, dx
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2637214
exception.address: 0x433d9e
success 0 0
1620967847.037876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912560
registers.edi: 4294939520
registers.eax: 1
registers.ebp: 3992821780
registers.edx: 22104
registers.ebx: 0
registers.esi: 4406423
registers.ecx: 20
exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x285647
exception.address: 0x435647
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc000001d
exception.offset: 2643527
success 0 0
1620967847.037876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912560
registers.edi: 4294939520
registers.eax: 1447909480
registers.ebp: 3992821780
registers.edx: 22104
registers.ebx: 2256917605
registers.esi: 4406423
registers.ecx: 10
exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 ad 2c 2d 12 01
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x289910
exception.instruction: in eax, dx
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2660624
exception.address: 0x439910
success 0 0
1620967847.224876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 2347416160
registers.eax: 0
registers.ebp: 3992821780
registers.edx: 2130566132
registers.ebx: 4444662
registers.esi: 10
registers.ecx: 3346464768
exception.instruction_r: fb 51 53 68 e2 56 ea 27 e9 d7 f9 ff ff c1 e9 03
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x28cfb2
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2674610
exception.address: 0x43cfb2
success 0 0
1620967847.224876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 0
registers.eax: 8912528
registers.ebp: 3992821780
registers.edx: 53765
registers.ebx: 4445468
registers.esi: 4391541
registers.ecx: 276663089
exception.instruction_r: cd 01 eb 00 e9 08 00 00 00 bd a6 d5 d4 a0 88 53
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x28d457
exception.instruction: int 1
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000005
exception.offset: 2675799
exception.address: 0x43d457
success 0 0
1620967847.224876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 4501356
registers.eax: 29384
registers.ebp: 3992821780
registers.edx: 654654
registers.ebx: 4444662
registers.esi: 53750
registers.ecx: 4440643
exception.instruction_r: fb 29 c0 e9 ce fa ff ff 29 d8 5b 87 04 24 8b 24
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x29477e
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2705278
exception.address: 0x44477e
success 0 0
1620967847.224876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 4501356
registers.eax: 4294940708
registers.ebp: 3992821780
registers.edx: 654654
registers.ebx: 4444662
registers.esi: 53750
registers.ecx: 212944232
exception.instruction_r: fb 50 83 ec 04 89 24 24 83 04 24 04 58 05 04 00
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x294261
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2703969
exception.address: 0x444261
success 0 0
1620967847.396876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912564
registers.edi: 4506453
registers.eax: 26981
registers.ebp: 3992821780
registers.edx: 6
registers.ebx: 62488409
registers.esi: 1983190032
registers.ecx: 0
exception.instruction_r: fb e9 99 05 00 00 81 c7 f9 cd bf 0b 01 f7 e9 e3
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x29c51c
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2737436
exception.address: 0x44c51c
success 0 0
1620967847.412876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 4533434
registers.eax: 4294942992
registers.ebp: 3992821780
registers.edx: 1856454248
registers.ebx: 62488409
registers.esi: 1983190032
registers.ecx: 0
exception.instruction_r: fb 51 c7 04 24 97 f7 b0 77 89 1c 24 68 b1 5b b8
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x29c8cc
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2738380
exception.address: 0x44c8cc
success 0 0
1620967847.412876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912568
registers.edi: 4533434
registers.eax: 33308
registers.ebp: 3992821780
registers.edx: 596432354
registers.ebx: 0
registers.esi: 1179202795
registers.ecx: 4523353
exception.instruction_r: fb 68 a6 27 b2 31 89 34 24 c7 04 24 ce e5 be 1c
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2a03ca
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2753482
exception.address: 0x4503ca
success 0 0
1620967847.412876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912560
registers.edi: 4533434
registers.eax: 4563960
registers.ebp: 3992821780
registers.edx: 596432354
registers.ebx: 84201
registers.esi: 1179202795
registers.ecx: 4294940484
exception.instruction_r: fb e9 00 00 00 00 50 52 c7 04 24 a9 34 ef 7f 58
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2a3611
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2766353
exception.address: 0x453611
success 0 0
1620967847.427876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4675894
registers.eax: 26352
registers.ebp: 3992821780
registers.edx: 0
registers.ebx: 604292946
registers.esi: 2903946792
registers.ecx: 7466697
exception.instruction_r: fb 55 e9 80 fa ff ff 97 f7 d7 e9 f4 00 00 00 55
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2c55bf
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2905535
exception.address: 0x4755bf
success 0 0
1620967847.443876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4702904
registers.eax: 4294943204
registers.ebp: 3992821780
registers.edx: 0
registers.ebx: 1459645024
registers.esi: 2903946792
registers.ecx: 201772763
exception.instruction_r: fb e9 15 ff ff ff 81 0c 24 61 da de 3d ff 04 24
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2c5ee1
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2907873
exception.address: 0x475ee1
success 0 0
1620967847.443876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4702904
registers.eax: 32615
registers.ebp: 3992821780
registers.edx: 460522536
registers.ebx: 1459645024
registers.esi: 4713353
registers.ecx: 1923936249
exception.instruction_r: fb 50 c7 04 24 e7 46 bd 55 89 14 24 89 0c 24 89
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2c6fb0
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2912176
exception.address: 0x476fb0
success 0 0
1620967847.443876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4702904
registers.eax: 0
registers.ebp: 3992821780
registers.edx: 98601296
registers.ebx: 1459645024
registers.esi: 4683481
registers.ecx: 1923936249
exception.instruction_r: fb 55 51 68 9b 92 ee 10 e9 00 00 00 00 89 2c 24
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2c7644
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2913860
exception.address: 0x477644
success 0 0
1620967847.443876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912524
registers.edi: 4690229
registers.eax: 27088
registers.ebp: 3992821780
registers.edx: 4690756
registers.ebx: 3992916745
registers.esi: 4294936912
registers.ecx: 0
exception.instruction_r: fb 81 ea d5 c0 b6 73 81 ea a6 7f 7d 79 03 14 24
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2c994e
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2922830
exception.address: 0x47994e
success 0 0
1620967847.443876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 0
registers.eax: 27088
registers.ebp: 3992821780
registers.edx: 4693628
registers.ebx: 82608470
registers.esi: 4294936912
registers.ecx: 0
exception.instruction_r: fb 50 53 56 be ce 77 d8 78 89 74 24 04 e9 27 07
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2c940b
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2921483
exception.address: 0x47940b
success 0 0
1620967847.443876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4725882
registers.eax: 31852
registers.ebp: 3992821780
registers.edx: 981219972
registers.ebx: 805899570
registers.esi: 4294936912
registers.ecx: 0
exception.instruction_r: fb 29 f6 e9 bd fe ff ff 58 87 f5 83 c6 01 87 f5
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2ca7dd
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2926557
exception.address: 0x47a7dd
success 0 0
1620967847.443876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4725882
registers.eax: 31852
registers.ebp: 3992821780
registers.edx: 981219972
registers.ebx: 805899570
registers.esi: 4294938432
registers.ecx: 741449101
exception.instruction_r: fb e9 a4 f7 ff ff 57 bf b8 9f e2 7f e9 00 00 00
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2cab67
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2927463
exception.address: 0x47ab67
success 0 0
1620967848.255876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 3988110446
registers.eax: 31863
registers.ebp: 3992821780
registers.edx: 4797831
registers.ebx: 301989900
registers.esi: 4707034
registers.ecx: 466
exception.instruction_r: fb 31 f6 ff 34 16 ff 34 24 ff 34 24 8b 0c 24 81
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2dbae9
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2996969
exception.address: 0x48bae9
success 0 0
1620967848.255876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 3988110446
registers.eax: 31863
registers.ebp: 3992821780
registers.edx: 4797831
registers.ebx: 301989900
registers.esi: 4294938120
registers.ecx: 24811
exception.instruction_r: fb e9 32 fb ff ff 81 04 24 04 00 00 00 ff 34 24
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2dbdef
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2997743
exception.address: 0x48bdef
success 0 0
1620967848.255876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 0
registers.eax: 4780976
registers.ebp: 3992821780
registers.edx: 1291
registers.ebx: 0
registers.esi: 4697932
registers.ecx: 81129
exception.instruction_r: fb 56 89 e6 e9 07 06 00 00 87 14 24 e9 30 06 00
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2de962
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3008866
exception.address: 0x48e962
success 0 0
1620967848.255876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912524
registers.edi: 4783851
registers.eax: 30113
registers.ebp: 3992821780
registers.edx: 391861631
registers.ebx: 55894528
registers.esi: 4697932
registers.ecx: 810232859
exception.instruction_r: fb 81 ef d6 72 bd 5f 81 ef a0 ba b7 66 81 ef d6
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2e08b3
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3016883
exception.address: 0x4908b3
success 0 0
1620967848.255876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4813964
registers.eax: 30113
registers.ebp: 3992821780
registers.edx: 4294940016
registers.ebx: 55894528
registers.esi: 1081651304
registers.ecx: 810232859
exception.instruction_r: fb 56 c7 04 24 6a 4d 60 59 89 04 24 e9 7f ff ff
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2e013c
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3014972
exception.address: 0x49013c
success 0 0
1620967848.271876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912524
registers.edi: 23842
registers.eax: 32454
registers.ebp: 3992821780
registers.edx: 604801998
registers.ebx: 4807970
registers.esi: 9739088
registers.ecx: 4836273
exception.instruction_r: fb 81 e9 3a 18 e9 66 e9 7a 00 00 00 35 aa ca f9
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2ed05f
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3067999
exception.address: 0x49d05f
success 0 0
1620967848.271876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 23842
registers.eax: 0
registers.ebp: 3992821780
registers.edx: 604801998
registers.ebx: 322689
registers.esi: 9739088
registers.ecx: 4839383
exception.instruction_r: fb 52 c7 04 24 00 70 df 5d 8b 1c 24 e9 86 05 00
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2ecbf0
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3066864
exception.address: 0x49cbf0
success 0 0
1620967848.302876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4925787
registers.eax: 28001
registers.ebp: 3992821780
registers.edx: 1565624
registers.ebx: 4862397
registers.esi: 4862393
registers.ecx: 3346464768
exception.instruction_r: fb 52 e9 bd 01 00 00 58 51 e9 02 f8 ff ff 81 c5
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2fc428
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3130408
exception.address: 0x4ac428
success 0 0
1620967848.302876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4925787
registers.eax: 28001
registers.ebp: 3992821780
registers.edx: 9451
registers.ebx: 4862397
registers.esi: 4294942532
registers.ecx: 3346464768
exception.instruction_r: fb 81 ec 04 00 00 00 e9 2d 00 00 00 01 fb e9 a3
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x2fc5d9
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3130841
exception.address: 0x4ac5d9
success 0 0
1620967848.318876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 3988214137
registers.eax: 29969
registers.ebp: 3992821780
registers.edx: 2130566132
registers.ebx: 301989926
registers.esi: 4958345
registers.ecx: 2135492710
exception.instruction_r: fb 31 ff ff 34 3e 56 89 e6 81 c6 04 00 00 00 e9
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x303ba9
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3161001
exception.address: 0x4b3ba9
success 0 0
1620967848.318876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4294940128
registers.eax: 29969
registers.ebp: 3992821780
registers.edx: 10414416
registers.ebx: 301989926
registers.esi: 4958345
registers.ecx: 2135492710
exception.instruction_r: fb bb e1 4c f7 72 c1 e3 06 f7 db 81 eb aa 2b 47
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x303dcc
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3161548
exception.address: 0x4b3dcc
success 0 0
1620967848.333876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4294934670
registers.eax: 27966
registers.ebp: 3992821780
registers.edx: 604801998
registers.ebx: 4948110
registers.esi: 9739088
registers.ecx: 4997395
exception.instruction_r: fb 29 c0 ff 34 08 ff 34 24 ff 34 24 5a 81 c4 04
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x30df2b
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3202859
exception.address: 0x4bdf2b
success 0 0
1620967848.333876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4294934670
registers.eax: 4294942300
registers.ebp: 3992821780
registers.edx: 1015764055
registers.ebx: 4948110
registers.esi: 9739088
registers.ecx: 4997395
exception.instruction_r: fb 51 b9 b9 7c ee 69 81 e9 7c 8a 6f 5b c1 e9 01
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x30d867
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3201127
exception.address: 0x4bd867
success 0 0
1620967848.349876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912524
registers.edi: 5164
registers.eax: 5014018
registers.ebp: 3992821780
registers.edx: 1294
registers.ebx: 4985900
registers.esi: 9739088
registers.ecx: 1295
exception.instruction_r: fb 68 71 ee 28 5b 89 2c 24 e9 00 00 00 00 52 68
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x318aee
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3246830
exception.address: 0x4c8aee
success 0 0
1620967848.349876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 5164
registers.eax: 5041279
registers.ebp: 3992821780
registers.edx: 1294
registers.ebx: 4985900
registers.esi: 9739088
registers.ecx: 1295
exception.instruction_r: fb 31 ff ff 34 07 e9 00 00 00 00 8b 14 24 68 62
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x318bb4
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3247028
exception.address: 0x4c8bb4
success 0 0
1620967848.365876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4294942544
registers.eax: 5041279
registers.ebp: 3992821780
registers.edx: 604801363
registers.ebx: 4985900
registers.esi: 9739088
registers.ecx: 1295
exception.instruction_r: fb 52 e9 00 00 00 00 51 57 bf c8 89 fb 7e e9 c1
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x31889d
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3246237
exception.address: 0x4c889d
success 0 0
1620967848.365876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912524
registers.edi: 4294942544
registers.eax: 5062879
registers.ebp: 3992821780
registers.edx: 2130566132
registers.ebx: 1462795091
registers.esi: 2010382348
registers.ecx: 3346464768
exception.instruction_r: fb 2d 81 e0 bd 73 03 04 24 e9 c7 ff ff ff 81 f1
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x3247f7
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3295223
exception.address: 0x4d47f7
success 0 0
1620967848.365876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912528
registers.edi: 4294942544
registers.eax: 5092633
registers.ebp: 3992821780
registers.edx: 2130566132
registers.ebx: 1462795091
registers.esi: 2010382348
registers.ecx: 3346464768
exception.instruction_r: fb 29 f6 ff 34 06 ff 34 24 e9 85 03 00 00 81 c1
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x3242d7
exception.instruction: sti
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 3293911
exception.address: 0x4d42d7
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 928 个事件)
Time & API Arguments Status Return Repeated
1620967847.552876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75251000
success 0 0
1620967847.568876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75f61000
success 0 0
1620967847.583876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76541000
success 0 0
1620967847.583876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766f1000
success 0 0
1620967847.583876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x768e2000
success 0 0
1620967847.583876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x776b1000
success 0 0
1620967847.583876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77860000
success 0 0
1620967847.599876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75251000
success 0 0
1620967847.599876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x752512d0
failed 3221225477 0
1620967847.599876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x754a1000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75900000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76541000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x765417d0
failed 3221225477 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x765e1000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766f1000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766f19a8
failed 3221225477 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x768e2000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x768e224c
failed 3221225477 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x775a0000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x776b1000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x776b1014
failed 3221225477 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77860000
success 0 0
1620967847.615876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77860070
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75951000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75c80000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766f1000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766f1394
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x768e1000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75251000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75251188
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x754a1000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x754a1350
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75f61000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75f610e4
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76541000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x7654180c
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x765e1000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x765e10ec
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x775a0000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x775a035c
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x776b1000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x776b11c8
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75951000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75951198
failed 3221225477 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75c80000
success 0 0
1620967847.630876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75c80270
failed 3221225477 0
1620967847.646876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766f1000
success 0 0
1620967847.646876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766f13a8
failed 3221225477 0
1620967847.646876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x768e1000
success 0 0
1620967847.646876
NtProtectVirtualMemory
process_identifier: 3056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x768e124c
failed 3221225477 0
A process attempted to delay the analysis task. (1 个事件)
description 678bfc0629a49c5f861ebc7dde57a1a9.exe tried to sleep 192 seconds, actually delayed analysis time by 192 seconds
The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)
entropy 7.95898912866283 section {'size_of_data': '0x000b7000', 'virtual_address': '0x00002000', 'entropy': 7.95898912866283, 'name': ' \\x00 ', 'virtual_size': '0x000ec000'} description A section with a high entropy has been found
entropy 7.8368898298644005 section {'size_of_data': '0x00003000', 'virtual_address': '0x000ee000', 'entropy': 7.8368898298644005, 'name': '.rsrc', 'virtual_size': '0x00009930'} description A section with a high entropy has been found
entropy 7.943728812826311 section {'size_of_data': '0x001b1200', 'virtual_address': '0x003a2000', 'entropy': 7.943728812826311, 'name': 'cdyixdws', 'virtual_size': '0x001b2000'} description A section with a high entropy has been found
entropy 0.9993946731234867 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process system
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Checks for the presence of known devices from debuggers and forensic tools (3 个事件)
file \??\SICE
file \??\SIWVID
file \??\NTICE
Checks for the presence of known windows from debuggers and forensic tools (17 个事件)
Time & API Arguments Status Return Repeated
1620967848.271876
FindWindowA
class_name: OLLYDBG
window_name:
failed 0 0
1620967848.271876
FindWindowA
class_name: GBDYLLO
window_name:
failed 0 0
1620967848.271876
FindWindowA
class_name: pediy06
window_name:
failed 0 0
1620967848.318876
FindWindowA
class_name: FilemonClass
window_name:
failed 0 0
1620967848.318876
FindWindowA
class_name: FilemonClass
window_name:
failed 0 0
1620967848.318876
FindWindowA
class_name: #0
window_name: File Monitor - Sysinternals: www.sysinternals.com
failed 0 0
1620967848.318876
FindWindowA
class_name: PROCMON_WINDOW_CLASS
window_name:
failed 0 0
1620967848.318876
FindWindowA
class_name: #0
window_name: Process Monitor - Sysinternals: www.sysinternals.com
failed 0 0
1620967848.333876
FindWindowA
class_name: RegmonClass
window_name:
failed 0 0
1620967848.333876
FindWindowA
class_name: RegmonClass
window_name:
failed 0 0
1620967848.333876
FindWindowA
class_name: #0
window_name: Registry Monitor - Sysinternals: www.sysinternals.com
failed 0 0
1620967848.333876
FindWindowA
class_name: 18467-41
window_name:
failed 0 0
1620967848.583876
FindWindowA
class_name: FilemonClass
window_name:
failed 0 0
1620967848.583876
FindWindowA
class_name: FilemonClass
window_name:
failed 0 0
1620967848.583876
FindWindowA
class_name: #0
window_name: File Monitor - Sysinternals: www.sysinternals.com
failed 0 0
1620967848.583876
FindWindowA
class_name: PROCMON_WINDOW_CLASS
window_name:
failed 0 0
1620967848.583876
FindWindowA
class_name: #0
window_name: Process Monitor - Sysinternals: www.sysinternals.com
failed 0 0
Checks the version of Bios, possibly for anti-virtualization (2 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Detects VirtualBox through the presence of a registry key (1 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1620967847.037876
__exception__
stacktrace:

                
            
            
            
registers.esp: 8912560
registers.edi: 4294939520
registers.eax: 1447909480
registers.ebp: 3992821780
registers.edx: 22104
registers.ebx: 1983254709
registers.esi: 4406423
registers.ecx: 20
exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 c7 02 00 00 83 ea 04
exception.symbol: 678bfc0629a49c5f861ebc7dde57a1a9+0x283d9e
exception.instruction: in eax, dx
exception.module: 678bfc0629a49c5f861ebc7dde57a1a9.exe
exception.exception_code: 0xc0000096
exception.offset: 2637214
exception.address: 0x433d9e
success 0 0
Detects the presence of Wine emulator (1 个事件)
registry HKEY_CURRENT_USER\Software\Wine
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.HfsAutoB.
MicroWorld-eScan Gen:Variant.Strictor.233273
FireEye Generic.mg.678bfc0629a49c5f
McAfee Artemis!678BFC0629A4
Cylance Unsafe
Zillya Trojan.Themida.Win32.3142
Sangfor Malware
K7AntiVirus Trojan ( 0054aaac1 )
Alibaba TrojanDownloader:Win32/Themida.7c3482ed
K7GW Trojan ( 0054aaac1 )
Cybereason malicious.629a49
Invincea heuristic
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-Downloader.Win32.Phpw.dxx
BitDefender Gen:Variant.Strictor.233273
NANO-Antivirus Trojan.Win32.Phpw.ggaund
AegisLab Trojan.Win32.Generic.a!c
Rising Downloader.Generic!8.141 (CLOUD)
Endgame malicious (high confidence)
Emsisoft Gen:Variant.Strictor.233273 (B)
F-Secure Trojan.TR/Dldr.Agent.nhspk
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_FRS.0NA103EF20
McAfee-GW-Edition BehavesLike.Win32.Kudj.vc
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Cyren W32/Trojan.AFAK-6196
Webroot W32.Trojan.Gen
Avira TR/Dldr.Agent.nhspk
eGambit Unsafe.AI_Score_99%
Antiy-AVL Trojan[Downloader]/Win32.Phpw
Microsoft Trojan:Win32/Tiggre!rfn
Arcabit Trojan.Strictor.D38F39
ZoneAlarm Trojan-Downloader.Win32.Phpw.dxx
GData Gen:Variant.Strictor.233273
AhnLab-V3 Malware/Win32.Generic.C3263734
Acronis suspicious
VBA32 TScope.Malware-Cryptor.SB
ALYac Gen:Variant.Strictor.233273
MAX malware (ai score=82)
Ad-Aware Gen:Variant.Strictor.233273
Panda Trj/CI.A
ESET-NOD32 a variant of Win32/Packed.Themida.EYA
TrendMicro-HouseCall TROJ_FRS.0NA103EF20
Tencent Win32.Trojan-downloader.Phpw.Wpjv
Yandex Trojan.DL.Phpw!
Ikarus Trojan.Win32.Themida
MaxSecure Trojan.Malware.74673088.susgen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-11-03 23:09:29

Imports

Library kernel32.dll:
0x4f8033 lstrcpy
Library comctl32.dll:
0x4f803b InitCommonControls

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50537 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.