SmartHawk

13.2

0-day

33 个模型检测该样本为恶意！

重新分析

下载样本

749a3882d05266212ebedcb49511b7fda71192511f97cac95501dae70f1e8512

a078d1ec59b389b08d359afe86244523.exe

分析耗时

80s

最近分析

文件大小

2.1MB

静态报毒动态报毒 100% AGEN ARTEMIS ATTRIBUTE CMRTAZOK91J0MSMUIW9UXAQZ3ZVH CONFIDENCE CRYPTBOT DROPPERX ET#100% GAWAAQG@B HFSAUTOB HIGH HIGH CONFIDENCE HIGHCONFIDENCE MALICIOUS PE Q34DOG RAMNIT RDMK SCORE SUSGEN THEMIDA UNSAFE WACATAC ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!A078D1EC59B3	20200221	6.0.6.653
Alibaba		20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Kingsoft		20200221	2013.8.14.323
Tencent		20200221	1.0.0.1
Avast	Win32:DropperX-gen [Drp]	20200221	18.4.3895.0
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620987371.057001 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (33 个事件)

Time & API	Arguments	Status	Return	Repeated
1620987334.557001 IsDebuggerPresent		failed	0	0
1620987336.510001 IsDebuggerPresent		failed	0	0
1620987338.525001 IsDebuggerPresent		failed	0	0
1620987340.541001 IsDebuggerPresent		failed	0	0
1620987342.557001 IsDebuggerPresent		failed	0	0
1620987344.572001 IsDebuggerPresent		failed	0	0
1620987346.588001 IsDebuggerPresent		failed	0	0
1620987348.603001 IsDebuggerPresent		failed	0	0
1620987350.619001 IsDebuggerPresent		failed	0	0
1620987352.635001 IsDebuggerPresent		failed	0	0
1620987354.650001 IsDebuggerPresent		failed	0	0
1620987356.666001 IsDebuggerPresent		failed	0	0
1620987358.682001 IsDebuggerPresent		failed	0	0
1620987360.697001 IsDebuggerPresent		failed	0	0
1620987362.713001 IsDebuggerPresent		failed	0	0
1620987364.728001 IsDebuggerPresent		failed	0	0
1620987366.744001 IsDebuggerPresent		failed	0	0
1620987368.760001 IsDebuggerPresent		failed	0	0
1620987370.775001 IsDebuggerPresent		failed	0	0
1620987372.791001 IsDebuggerPresent		failed	0	0
1620987374.807001 IsDebuggerPresent		failed	0	0
1620987376.822001 IsDebuggerPresent		failed	0	0
1620987378.838001 IsDebuggerPresent		failed	0	0
1620987380.853001 IsDebuggerPresent		failed	0	0
1620987382.869001 IsDebuggerPresent		failed	0	0
1620987384.885001 IsDebuggerPresent		failed	0	0
1620987386.900001 IsDebuggerPresent		failed	0	0
1620987388.916001 IsDebuggerPresent		failed	0	0
1620987390.932001 IsDebuggerPresent		failed	0	0
1620987392.947001 IsDebuggerPresent		failed	0	0
1620987394.963001 IsDebuggerPresent		failed	0	0
1620987396.978001 IsDebuggerPresent		failed	0	0
1620987399.010001 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620987371.057001 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	mksiqixy
section	qrpbjxcc

One or more processes crashed (50 out of 115 个事件)

Time & API	Arguments	Status
1620987333.900001 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2423248 registers.edi: 0 registers.eax: 1 registers.ebp: 2423264 registers.edx: 18653184 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: a078d1ec59b389b08d359afe86244523+0x3820b9 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 3678393 exception.address: 0x10120b9	success
1620987333.900001 __exception__	stacktrace: registers.esp: 2423212 registers.edi: 13987194 registers.eax: 26615 registers.ebp: 3942731796 registers.edx: 13172736 registers.ebx: 1983119605 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb e9 ba 02 00 00 f7 d9 f7 d1 e9 7d 01 00 00 29 exception.symbol: a078d1ec59b389b08d359afe86244523+0xc6e2a exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 814634 exception.address: 0xd56e2a	success
1620987333.900001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 13989821 registers.eax: 0 registers.ebp: 3942731796 registers.edx: 13172736 registers.ebx: 1983119605 registers.esi: 3 registers.ecx: 2602154835 exception.instruction_r: fb 52 50 c7 04 24 b2 39 fe 77 ff 34 24 5a 83 c4 exception.symbol: a078d1ec59b389b08d359afe86244523+0xc7055 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 815189 exception.address: 0xd57055	success
1620987333.900001 __exception__	stacktrace: registers.esp: 2423212 registers.edi: 13989821 registers.eax: 30016 registers.ebp: 3942731796 registers.edx: 838826416 registers.ebx: 1983119605 registers.esi: 3 registers.ecx: 13990196 exception.instruction_r: fb 81 c1 e4 12 e5 7c 52 c7 04 24 61 11 13 01 89 exception.symbol: a078d1ec59b389b08d359afe86244523+0xc821d exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 819741 exception.address: 0xd5821d	success
1620987333.900001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 13989821 registers.eax: 30016 registers.ebp: 3942731796 registers.edx: 838826416 registers.ebx: 1983119605 registers.esi: 3 registers.ecx: 14020212 exception.instruction_r: fb 68 f3 6d 5d 0e 89 04 24 89 34 24 89 04 24 53 exception.symbol: a078d1ec59b389b08d359afe86244523+0xc81fe exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 819710 exception.address: 0xd581fe	success
1620987333.900001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 13989821 registers.eax: 238825 registers.ebp: 3942731796 registers.edx: 838826416 registers.ebx: 0 registers.esi: 3 registers.ecx: 13993232 exception.instruction_r: fb 53 89 0c 24 e9 ec 00 00 00 5b e9 94 03 00 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0xc7da6 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 818598 exception.address: 0xd57da6	success
1620987333.900001 __exception__	stacktrace: registers.esp: 2423212 registers.edi: 14026969 registers.eax: 28312 registers.ebp: 3942731796 registers.edx: 2345 registers.ebx: 15557070 registers.esi: 15556531 registers.ecx: 3288334336 exception.instruction_r: fb 52 51 b9 b7 9e 5e 53 e9 7a 07 00 00 81 c5 b4 exception.symbol: a078d1ec59b389b08d359afe86244523+0x24644d exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2384973 exception.address: 0xed644d	success
1620987333.916001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 0 registers.eax: 43837781 registers.ebp: 3942731796 registers.edx: 2345 registers.ebx: 15560658 registers.esi: 15556531 registers.ecx: 3288334336 exception.instruction_r: fb 68 2f 11 bf 54 89 04 24 b8 fc 8c 37 39 50 89 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2466fa exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2385658 exception.address: 0xed66fa	success
1620987333.916001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 15608150 registers.eax: 26026 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 59966355 registers.esi: 15556531 registers.ecx: 915 exception.instruction_r: fb 50 89 e0 52 e9 35 00 00 00 89 14 24 ba 2a 08 exception.symbol: a078d1ec59b389b08d359afe86244523+0x24cc88 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2411656 exception.address: 0xedcc88	success
1620987333.916001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 15608150 registers.eax: 26026 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 59966355 registers.esi: 1549541099 registers.ecx: 4294944180 exception.instruction_r: fb 68 69 a0 cb 17 89 1c 24 e9 33 00 00 00 81 c3 exception.symbol: a078d1ec59b389b08d359afe86244523+0x24cbf1 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2411505 exception.address: 0xedcbf1	success
1620987333.932001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 15598048 registers.eax: 0 registers.ebp: 3942731796 registers.edx: 0 registers.ebx: 15585060 registers.esi: 15586832 registers.ecx: 134889 exception.instruction_r: fb 50 55 89 3c 24 68 00 65 57 77 8b 3c 24 81 c4 exception.symbol: a078d1ec59b389b08d359afe86244523+0x24fe9e exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2424478 exception.address: 0xedfe9e	success
1620987333.932001 __exception__	stacktrace: registers.esp: 2423208 registers.edi: 6368898 registers.eax: 1447909480 registers.ebp: 3942731796 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 15619489 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 52 53 89 24 24 81 04 24 exception.symbol: a078d1ec59b389b08d359afe86244523+0x25af3f exception.instruction: in eax, dx exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2469695 exception.address: 0xeeaf3f	success
1620987333.932001 __exception__	stacktrace: registers.esp: 2423208 registers.edi: 6368898 registers.eax: 1 registers.ebp: 3942731796 registers.edx: 22104 registers.ebx: 0 registers.esi: 15619489 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: a078d1ec59b389b08d359afe86244523+0x2583af exception.address: 0xee83af exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc000001d exception.offset: 2458543	success
1620987333.932001 __exception__	stacktrace: registers.esp: 2423208 registers.edi: 6368898 registers.eax: 1447909480 registers.ebp: 3942731796 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 15619489 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 d5 35 d4 15 01 exception.symbol: a078d1ec59b389b08d359afe86244523+0x259c46 exception.instruction: in eax, dx exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2464838 exception.address: 0xee9c46	success
1620987334.135001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 15686617 registers.eax: 32406 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 12087827 registers.esi: 10 registers.ecx: 3288334336 exception.instruction_r: fb 31 f6 ff 34 3e ff 34 24 8b 0c 24 57 89 e7 81 exception.symbol: a078d1ec59b389b08d359afe86244523+0x25e335 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2482997 exception.address: 0xeee335	success
1620987334.135001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 15686617 registers.eax: 32406 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 12087827 registers.esi: 4294937500 registers.ecx: 99115104 exception.instruction_r: fb 68 bc 26 9e 0d e9 a0 ff ff ff 5a 8f 04 24 5c exception.symbol: a078d1ec59b389b08d359afe86244523+0x25e6aa exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2483882 exception.address: 0xeee6aa	success
1620987334.135001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 0 registers.eax: 2423176 registers.ebp: 3942731796 registers.edx: 4294961875 registers.ebx: 15657683 registers.esi: 15657157 registers.ecx: 15657683 exception.instruction_r: cd 01 eb 00 e9 13 00 00 00 d3 aa 4e d2 85 4c 1a exception.symbol: a078d1ec59b389b08d359afe86244523+0x25e9f0 exception.instruction: int 1 exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000005 exception.offset: 2484720 exception.address: 0xeee9f0	success
1620987334.463001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 322689 registers.eax: 15727339 registers.ebp: 3942731796 registers.edx: 0 registers.ebx: 13296451 registers.esi: 1997171570 registers.ecx: 15722315 exception.instruction_r: fb 55 c7 04 24 67 3a 7f 43 53 bb 37 ae ef 3f 21 exception.symbol: a078d1ec59b389b08d359afe86244523+0x26f2fd exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2552573 exception.address: 0xeff2fd	success
1620987334.463001 __exception__	stacktrace: registers.esp: 2423212 registers.edi: 322689 registers.eax: 26574 registers.ebp: 3942731796 registers.edx: 150903857 registers.ebx: 1800888356 registers.esi: 1997171570 registers.ecx: 15733062 exception.instruction_r: fb 81 ec 04 00 00 00 e9 dc fb ff ff 33 04 24 5c exception.symbol: a078d1ec59b389b08d359afe86244523+0x271655 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2561621 exception.address: 0xf01655	success
1620987334.463001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 604292946 registers.eax: 26574 registers.ebp: 3942731796 registers.edx: 4294943668 registers.ebx: 1800888356 registers.esi: 1997171570 registers.ecx: 15759636 exception.instruction_r: fb 53 e9 cc 03 00 00 54 5f 81 c7 04 00 00 00 83 exception.symbol: a078d1ec59b389b08d359afe86244523+0x27136a exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2560874 exception.address: 0xf0136a	success
1620987334.463001 __exception__	stacktrace: registers.esp: 2423212 registers.edi: 604292946 registers.eax: 30833 registers.ebp: 3942731796 registers.edx: 1379079765 registers.ebx: 620021747 registers.esi: 15749792 registers.ecx: 1394825784 exception.instruction_r: fb e9 79 02 00 00 f7 d0 2d 4b 34 2f 5d 81 c7 c9 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2753cd exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2577357 exception.address: 0xf053cd	success
1620987334.463001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 604292946 registers.eax: 30833 registers.ebp: 3942731796 registers.edx: 1379079765 registers.ebx: 620021747 registers.esi: 15780625 registers.ecx: 1394825784 exception.instruction_r: fb 31 d2 56 e9 09 f8 ff ff 8b 1c 24 e9 00 00 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x275c4b exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2579531 exception.address: 0xf05c4b	success
1620987334.463001 __exception__	stacktrace: registers.esp: 2423216 registers.edi: 583401 registers.eax: 30833 registers.ebp: 3942731796 registers.edx: 4294939072 registers.ebx: 620021747 registers.esi: 15780625 registers.ecx: 1394825784 exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 89 e6 e9 70 00 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x275aa4 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2579108 exception.address: 0xf05aa4	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423204 registers.edi: 583401 registers.eax: 29420 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 15782451 registers.esi: 15780625 registers.ecx: 3288334336 exception.instruction_r: fb e9 82 01 00 00 89 14 24 81 04 24 63 ee 76 5f exception.symbol: a078d1ec59b389b08d359afe86244523+0x27d528 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2610472 exception.address: 0xf0d528	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423208 registers.edi: 4294940988 registers.eax: 30185 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 15811871 registers.esi: 15780625 registers.ecx: 3288334336 exception.instruction_r: fb 68 24 5a 18 5c 89 2c 24 68 49 ab cb 5e 89 1c exception.symbol: a078d1ec59b389b08d359afe86244523+0x27dca7 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2612391 exception.address: 0xf0dca7	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 15902348 registers.eax: 32861 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 116969 registers.ecx: 3288334336 exception.instruction_r: fb 83 ec 04 e9 be fa ff ff 53 55 83 ec 04 89 3c exception.symbol: a078d1ec59b389b08d359afe86244523+0x29a462 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2729058 exception.address: 0xf2a462	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 15904313 registers.eax: 15907616 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2133048918 registers.ecx: 0 exception.instruction_r: fb 53 c7 04 24 e7 bf a4 7b e9 0c 00 00 00 58 8b exception.symbol: a078d1ec59b389b08d359afe86244523+0x29b7f3 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2734067 exception.address: 0xf2b7f3	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423172 registers.edi: 15908009 registers.eax: 30610 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 844333123 registers.esi: 2133048918 registers.ecx: 2040345600 exception.instruction_r: fb 68 33 66 c7 75 89 14 24 ba 99 f7 fd 56 81 ca exception.symbol: a078d1ec59b389b08d359afe86244523+0x29c014 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2736148 exception.address: 0xf2c014	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 15938619 registers.eax: 30610 registers.ebp: 3942731796 registers.edx: 2130566132 registers.ebx: 844333123 registers.esi: 2133048918 registers.ecx: 2040345600 exception.instruction_r: fb 56 89 0c 24 c7 04 24 17 6a 8e 76 e9 b0 01 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x29c21e exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2736670 exception.address: 0xf2c21e	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 15938619 registers.eax: 1342204512 registers.ebp: 3942731796 registers.edx: 4294939412 registers.ebx: 844333123 registers.esi: 2133048918 registers.ecx: 2040345600 exception.instruction_r: fb 56 51 50 68 1c 79 ef 37 58 f7 d8 e9 cb 02 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x29c002 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2736130 exception.address: 0xf2c002	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 3958531119 registers.eax: 30574 registers.ebp: 3942731796 registers.edx: 272207689 registers.ebx: 15949287 registers.esi: 2148987537 registers.ecx: 288124537 exception.instruction_r: fb 31 d2 ff 34 13 e9 c1 03 00 00 81 cb cb 56 d9 exception.symbol: a078d1ec59b389b08d359afe86244523+0x29ead1 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2747089 exception.address: 0xf2ead1	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 3958531119 registers.eax: 30574 registers.ebp: 3942731796 registers.edx: 4294940220 registers.ebx: 15949287 registers.esi: 918134157 registers.ecx: 288124537 exception.instruction_r: fb 57 68 e2 2d d9 73 5f 81 c7 e4 33 26 cc 53 89 exception.symbol: a078d1ec59b389b08d359afe86244523+0x29e961 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2746721 exception.address: 0xf2e961	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 0 registers.eax: 28861 registers.ebp: 3942731796 registers.edx: 2130390537 registers.ebx: 65802 registers.esi: 24811 registers.ecx: 15940897 exception.instruction_r: fb 52 c7 04 24 e3 43 b9 56 89 04 24 e9 6d 00 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2a39e4 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2767332 exception.address: 0xf339e4	success
1620987334.478001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 15977048 registers.eax: 28656 registers.ebp: 3942731796 registers.edx: 262470787 registers.ebx: 81129 registers.esi: 4294941000 registers.ecx: 15940897 exception.instruction_r: fb e9 dd 02 00 00 ff 34 24 ff 34 24 e9 19 04 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2a5a9b exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2775707 exception.address: 0xf35a9b	success
1620987334.494001 __exception__	stacktrace: registers.esp: 2423172 registers.edi: 15974420 registers.eax: 30355 registers.ebp: 3942731796 registers.edx: 15954032 registers.ebx: 970097069 registers.esi: 262470787 registers.ecx: 262470787 exception.instruction_r: fb 53 e9 65 02 00 00 52 54 5a 81 c2 04 00 00 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2a7994 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2783636 exception.address: 0xf37994	success
1620987334.494001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 15974420 registers.eax: 30355 registers.ebp: 3942731796 registers.edx: 15984387 registers.ebx: 970097069 registers.esi: 262470787 registers.ecx: 262470787 exception.instruction_r: fb 29 c9 81 ec 04 00 00 00 89 1c 24 89 cb e9 e2 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2a7788 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2783112 exception.address: 0xf37788	success
1620987334.494001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 157417 registers.eax: 30355 registers.ebp: 3942731796 registers.edx: 15984387 registers.ebx: 970097069 registers.esi: 262470787 registers.ecx: 4294940408 exception.instruction_r: fb e9 58 02 00 00 81 f7 be 40 5b 3f 50 89 1c 24 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2a76ed exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2782957 exception.address: 0xf376ed	success
1620987334.494001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 157417 registers.eax: 0 registers.ebp: 3942731796 registers.edx: 1445531474 registers.ebx: 3909414019 registers.esi: 262470787 registers.ecx: 15961464 exception.instruction_r: fb 55 56 be 9d cc df 6d 81 f6 e5 ee 30 11 e9 7e exception.symbol: a078d1ec59b389b08d359afe86244523+0x2a843b exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2786363 exception.address: 0xf3843b	success
1620987334.510001 __exception__	stacktrace: registers.esp: 2423172 registers.edi: 3958549147 registers.eax: 29165 registers.ebp: 3942731796 registers.edx: 1301592 registers.ebx: 3958828959 registers.esi: 31978746 registers.ecx: 16019061 exception.instruction_r: fb 81 c1 c6 f3 fb 17 e9 4a f9 ff ff e9 d8 03 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2b752d exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2848045 exception.address: 0xf4752d	success
1620987334.510001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 3958549147 registers.eax: 4294940848 registers.ebp: 3942731796 registers.edx: 1301592 registers.ebx: 322689 registers.esi: 31978746 registers.ecx: 16048226 exception.instruction_r: fb e9 54 02 00 00 81 ec 04 00 00 00 e9 f8 02 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2b6ee5 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2846437 exception.address: 0xf46ee5	success
1620987334.541001 __exception__	stacktrace: registers.esp: 2423172 registers.edi: 2130510068 registers.eax: 31768 registers.ebp: 3942731796 registers.edx: 2130510068 registers.ebx: 16040334 registers.esi: 9411408 registers.ecx: 15826650 exception.instruction_r: fb 52 ba 6a 05 db 75 e9 2e f9 ff ff 81 eb 0a d6 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2bcc0d exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2870285 exception.address: 0xf4cc0d	success
1620987334.541001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 2130510068 registers.eax: 31768 registers.ebp: 3942731796 registers.edx: 2130510068 registers.ebx: 16072102 registers.esi: 9411408 registers.ecx: 15826650 exception.instruction_r: fb e9 cc 02 00 00 68 68 a0 43 4b e9 7e 01 00 00 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2bc1d3 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2867667 exception.address: 0xf4c1d3	success
1620987334.541001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 478762833 registers.eax: 31768 registers.ebp: 3942731796 registers.edx: 2130510068 registers.ebx: 16072102 registers.esi: 4294938268 registers.ecx: 15826650 exception.instruction_r: fb 55 53 bb 9d e9 3b 6f f7 d3 f7 db e9 c3 ff ff exception.symbol: a078d1ec59b389b08d359afe86244523+0x2bcacf exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2869967 exception.address: 0xf4cacf	success
1620987334.557001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 16097612 registers.eax: 28297 registers.ebp: 3942731796 registers.edx: 1301592 registers.ebx: 335696162 registers.esi: 16147329 registers.ecx: 3288334336 exception.instruction_r: fb e9 fb 01 00 00 31 04 24 33 04 24 8b 24 24 89 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2cfc86 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2948230 exception.address: 0xf5fc86	success
1620987334.557001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 16097612 registers.eax: 11331927 registers.ebp: 3942731796 registers.edx: 1301592 registers.ebx: 335696162 registers.esi: 16147329 registers.ecx: 4294941588 exception.instruction_r: fb 50 e9 00 00 00 00 89 2c 24 57 89 14 24 e9 b0 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2cfd8f exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2948495 exception.address: 0xf5fd8f	success
1620987334.557001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 16097612 registers.eax: 0 registers.ebp: 3942731796 registers.edx: 622007008 registers.ebx: 335696162 registers.esi: 2298801283 registers.ecx: 16124703 exception.instruction_r: fb e9 9d 01 00 00 81 ec 04 00 00 00 89 34 24 e9 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2d06c1 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2950849 exception.address: 0xf606c1	success
1620987334.572001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 2130510068 registers.eax: 29508 registers.ebp: 3942731796 registers.edx: 16211709 registers.ebx: 2130699510 registers.esi: 2124119938 registers.ecx: 2146690490 exception.instruction_r: fb 53 bb c0 d8 e6 6f b8 40 27 19 90 52 ba 1a ef exception.symbol: a078d1ec59b389b08d359afe86244523+0x2df025 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 3010597 exception.address: 0xf6f025	success
1620987334.588001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 2130510068 registers.eax: 4294940712 registers.ebp: 3942731796 registers.edx: 16211709 registers.ebx: 2130699510 registers.esi: 82608465 registers.ecx: 2146690490 exception.instruction_r: fb 81 ec 04 00 00 00 e9 6c 00 00 00 8b 34 24 81 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2df3b8 exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 3011512 exception.address: 0xf6f3b8	success
1620987334.838001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 0 registers.eax: 29044 registers.ebp: 3942731796 registers.edx: 6631528 registers.ebx: 16910336 registers.esi: 16288885 registers.ecx: 3738837507 exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 89 0c 24 68 76 96 exception.symbol: a078d1ec59b389b08d359afe86244523+0x2f89ad exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 3115437 exception.address: 0xf889ad	success
1620987334.838001 __exception__	stacktrace: registers.esp: 2423176 registers.edi: 0 registers.eax: 25904 registers.ebp: 3942731796 registers.edx: 1276380518 registers.ebx: 720836379 registers.esi: 16315208 registers.ecx: 3738837507 exception.instruction_r: fb 52 c7 04 24 01 7d ff 5a c1 24 24 01 57 bf 8c exception.symbol: a078d1ec59b389b08d359afe86244523+0x2f973c exception.instruction: sti exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 3118908 exception.address: 0xf8973c	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (34 个事件)

Time & API	Arguments	Status
1620987334.603001 NtProtectVirtualMemory	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620987334.603001 NtProtectVirtualMemory	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620987334.900001 NtProtectVirtualMemory	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 401408 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00c91000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a20000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b30000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c70000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025d0000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025e0000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025f0000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02800000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02810000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02ae0000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02af0000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02c00000	success
1620987334.947001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02d50000	success
1620987334.963001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02d60000	success
1620987334.963001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02d70000	success
1620987334.963001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02e00000	success
1620987334.963001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02e10000	success
1620987334.963001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02e60000	success
1620987334.963001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02e70000	success
1620987334.963001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987334.978001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02e80000	success
1620987334.978001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987334.978001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987334.978001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02ed0000	success
1620987334.978001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987334.978001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987334.994001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987334.994001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987334.994001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620987336.885001 NtAllocateVirtualMemory	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03160000	success

A process attempted to delay the analysis task. (1 个事件)

description

a078d1ec59b389b08d359afe86244523.exe tried to sleep 652 seconds, actually delayed analysis time by 652 seconds

Steals private information from local Internet browsers (31 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\CookiesCopy

Looks up the external IP address (1 个事件)

domain

ip-api.com

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620987339.103001 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)

entropy

7.984337083148965

section

{'size_of_data': '0x00061600', 'virtual_address': '0x00001000', 'entropy': 7.984337083148965, 'name': ' \\x00 ', 'virtual_size': '0x000b2000'}

description

A section with a high entropy has been found

entropy

7.661215437972504

section

{'size_of_data': '0x00000a00', 'virtual_address': '0x000b3000', 'entropy': 7.661215437972504, 'name': '.rsrc', 'virtual_size': '0x00010891'}

description

A section with a high entropy has been found

entropy

7.87396220704369

section

{'size_of_data': '0x001b7200', 'virtual_address': '0x00382000', 'entropy': 7.87396220704369, 'name': 'mksiqixy', 'virtual_size': '0x001b8000'}

description

A section with a high entropy has been found

entropy

0.9993023255813953

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

system

Queries for potentially installed applications (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620987371.103001 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	failed	2	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to identify installed AV products by installation directory (2 个事件)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avg

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 197 个事件)

Time & API	Arguments	Status
1620987334.541001 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987334.541001 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987334.541001 FindWindowA	class_name: pediy06 window_name:	failed
1620987334.572001 FindWindowA	class_name: FilemonClass window_name:	failed
1620987334.572001 FindWindowA	class_name: FilemonClass window_name:	failed
1620987334.572001 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620987334.572001 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620987334.572001 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620987334.588001 FindWindowA	class_name: RegmonClass window_name:	failed
1620987334.588001 FindWindowA	class_name: RegmonClass window_name:	failed
1620987334.588001 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1620987334.588001 FindWindowA	class_name: 18467-41 window_name:	failed
1620987334.900001 FindWindowA	class_name: FilemonClass window_name:	failed
1620987334.900001 FindWindowA	class_name: FilemonClass window_name:	failed
1620987334.900001 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620987334.900001 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620987334.900001 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620987336.510001 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987336.510001 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987336.510001 FindWindowA	class_name: pediy06 window_name:	failed
1620987338.525001 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987338.525001 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987338.525001 FindWindowA	class_name: pediy06 window_name:	failed
1620987338.947001 FindWindowA	class_name: Regmonclass window_name:	failed
1620987338.947001 FindWindowA	class_name: Regmonclass window_name:	failed
1620987339.260001 FindWindowA	class_name: 18467-41 window_name:	failed
1620987339.572001 FindWindowA	class_name: Filemonclass window_name:	failed
1620987339.572001 FindWindowA	class_name: Filemonclass window_name:	failed
1620987339.572001 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620987340.541001 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987340.541001 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987340.541001 FindWindowA	class_name: pediy06 window_name:	failed
1620987342.557001 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987342.557001 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987342.557001 FindWindowA	class_name: pediy06 window_name:	failed
1620987343.572001 FindWindowA	class_name: Regmonclass window_name:	failed
1620987343.572001 FindWindowA	class_name: Regmonclass window_name:	failed
1620987343.885001 FindWindowA	class_name: 18467-41 window_name:	failed
1620987344.197001 FindWindowA	class_name: Filemonclass window_name:	failed
1620987344.197001 FindWindowA	class_name: Filemonclass window_name:	failed
1620987344.197001 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620987344.572001 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987344.572001 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987344.572001 FindWindowA	class_name: pediy06 window_name:	failed
1620987346.588001 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987346.588001 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987346.588001 FindWindowA	class_name: pediy06 window_name:	failed
1620987348.197001 FindWindowA	class_name: Regmonclass window_name:	failed
1620987348.197001 FindWindowA	class_name: Regmonclass window_name:	failed
1620987348.510001 FindWindowA	class_name: 18467-41 window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Attempts to access Bitcoin/ALTCoin wallets (1 个事件)

file	C:\ProgramData\tc7BxUeT8piV\Files\Coins\Electrum\wallets

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1620987341.697001 RegSetValueExA	key_handle: 0x000004ec value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620987341.713001 RegSetValueExA	key_handle: 0x000004ec value: 0IuH× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620987341.713001 RegSetValueExA	key_handle: 0x000004ec value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620987341.713001 RegSetValueExW	key_handle: 0x000004ec value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620987341.713001 RegSetValueExA	key_handle: 0x00000500 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620987341.713001 RegSetValueExA	key_handle: 0x00000500 value: 0IuH× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620987341.713001 RegSetValueExA	key_handle: 0x00000500 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620987341.744001 RegSetValueExW	key_handle: 0x000004e8 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620987333.932001 __exception__	stacktrace: registers.esp: 2423208 registers.edi: 6368898 registers.eax: 1447909480 registers.ebp: 3942731796 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 15619489 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 52 53 89 24 24 81 04 24 exception.symbol: a078d1ec59b389b08d359afe86244523+0x25af3f exception.instruction: in eax, dx exception.module: a078d1ec59b389b08d359afe86244523.exe exception.exception_code: 0xc0000096 exception.offset: 2469695 exception.address: 0xeeaf3f	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

208.95.112.1:80

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 个事件)

Bkav	W32.HfsAutoB.
McAfee	Artemis!A078D1EC59B3
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0040f4ef1 )
K7GW	Trojan ( 0040f4ef1 )
Cybereason	malicious.b36a86
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
Rising	Malware.Heuristic!ET#100% (RDMK:cmRtazok91J0MSMuIW9uxAQz3zVH)
Endgame	malicious (high confidence)
Sophos	Mal/Generic-S
F-Secure	Heuristic.HEUR/AGEN.1045048
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Ramnit.vc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.a078d1ec59b389b0
Avira	HEUR/AGEN.1045048
eGambit	Unsafe.AI_Score_99%
Microsoft	Trojan:Win32/Wacatac.D!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Win32.Trojan.Agent.Q34DOG
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34090.gAWaaqG@B!li
Malwarebytes	Spyware.CryptBot.Themida.Generic
ESET-NOD32	a variant of Win32/Packed.Themida.HIQ
SentinelOne	DFI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:DropperX-gen [Drp]
Avast	Win32:DropperX-gen [Drp]
CrowdStrike	win/malicious_confidence_100% (D)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-02-14 05:05:22

Imports

Library kernel32.dll:

• 0x4c4033 lstrcpy

Library comctl32.dll:

• 0x4c403b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
rifat02.info
ip-api.com	A 208.95.112.1	208.95.112.1
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.