SmartHawk

12.0

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

b5983e7fb1701d1c79ca24d59270598cbd4c799322d4621c5862449916161af5

a17cabe825146446a80fc4ab7b92963d.exe

分析耗时

91s

最近分析

文件大小

308.0KB

静态报毒动态报毒 AGENSLA AGENTTESLA AI SCORE=81 AIDETECT ANTIVM ARTEMIS ATTRIBUTE BTLLBH CONFIDENCE DGZLOGQ2IAZFKMYQ0W DROPPERX ELYA EMKM GDSDA HIGH CONFIDENCE HIGHCONFIDENCE HXQBN54A IGENT KRYPT KRYPTIK LKNK MALICIOUS PE MALWARE1 MALWARE@#30IQ9F1PFW3Q7 NCSKK OCCAMY QQPASS QQROB R336922 RAZY SAVE SCORE SIGGEN2 STATIC AI SUSGEN TROJANPSW UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
CrowdStrike	win/malicious_confidence_80% (D)	20210203	1.0
Alibaba	TrojanPSW:MSIL/Agensla.36127cc2	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:DropperX-gen [Drp]	20210301	21.1.5827.0
Tencent	Msil.Trojan-qqpass.Qqrob.Lknk	20210301	1.0.0.1
Kingsoft		20210301	2017.9.26.565
McAfee	Artemis!A17CABE82514	20210301	6.0.6.653

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1619805516.581499 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619805518.956499 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619805521.456499 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619805521.972499 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619805509.206499 IsDebuggerPresent		failed	0	0
1619805509.206499 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619805509.222499 GlobalMemoryStatusEx		success	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

CHECKLIST

One or more processes crashed (50 out of 24072 个事件)

Time & API	Arguments	Status
1619781456.87525 __exception__	stacktrace: registers.esp: 1637140 registers.edi: 8851584 registers.eax: 4226328 registers.ebp: 8854640 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 9452528 registers.ecx: 8847360 exception.instruction_r: cf e9 25 ef ff ff 8b 1c 24 64 89 1d 00 00 00 00 exception.instruction: iretd exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x8719da	success
1619781456.87525 __exception__	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77d76a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7460482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77d40143 registers.esp: 1635336 registers.edi: 0 registers.eax: 0 registers.ebp: 1635400 registers.edx: 2010606285 registers.ebx: 8847525 registers.esi: 0 registers.ecx: 8854640 exception.instruction_r: 0f 08 e9 2a 01 00 00 e9 13 f9 ff ff 83 c4 08 e9 exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870be0	success
1619781456.87525 __exception__	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77d76a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7460482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77d40143 registers.esp: 1635336 registers.edi: 0 registers.eax: 3554492521 registers.ebp: 1635400 registers.edx: 2010606285 registers.ebx: 8852244 registers.esi: 0 registers.ecx: 8854640 exception.instruction_r: 66 6d 60 00 aa 9e 7d e5 69 43 d7 8a c5 8f 33 9c exception.instruction: insw word ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x87127e	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637136 registers.edi: 8851584 registers.eax: 4226328 registers.ebp: 8847514 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 9452528 registers.ecx: 8847360 exception.instruction_r: e6 d6 5b 24 62 bb 0d c4 ca 60 f4 ca c1 6d 4d 35 exception.instruction: out -0x2a, al exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870dfa	success
1619781456.87525 __exception__	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77d76a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7460482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77d40143 registers.esp: 1635332 registers.edi: 0 registers.eax: 16 registers.ebp: 1635396 registers.edx: 2010606285 registers.ebx: 8852059 registers.esi: 0 registers.ecx: 8847514 exception.instruction_r: ed 25 2a b5 95 70 80 52 73 96 f0 6e 49 90 83 f5 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x871243	success
1619781456.87525 __exception__	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77d76a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7460482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77d40143 registers.esp: 1635332 registers.edi: 8850274 registers.eax: 184 registers.ebp: 1635396 registers.edx: 2010606285 registers.ebx: 1636012 registers.esi: 0 registers.ecx: 3874 exception.instruction_r: fa 4a d0 72 2e 02 9e 07 18 68 1f de ff 98 a9 04 exception.instruction: cli exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870a7c	success
1619781456.87525 __exception__	stacktrace: a17cabe825146446a80fc4ab7b92963d+0x12a6 @ 0x4012a6 a17cabe825146446a80fc4ab7b92963d+0x12a6 @ 0x4012a6 __vbaBoolErrVar+0x2c1e __vbaExceptHandler-0x139 msvbvm60+0xe46a6 @ 0x72a246a6 CreateIExprSrvObj+0x9f2 _CIexp-0x2058 msvbvm60+0xebcb9 @ 0x72a2bcb9 WinSqmSetIfMaxDWORD+0x35 RtlGetThreadErrorMode-0x23b ntdll+0x71ecd @ 0x77da1ecd registers.esp: 1637120 registers.edi: 8851584 registers.eax: 4226328 registers.ebp: 1637380 registers.edx: 1637352 registers.ebx: 8855505 registers.esi: 9452528 registers.ecx: 8847360 exception.instruction_r: ee e9 e2 ef ff ff 83 c8 08 83 c8 10 01 0c 03 e9 exception.instruction: out dx, al exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x871442	success
1619781456.87525 __exception__	stacktrace: a17cabe825146446a80fc4ab7b92963d+0x4f86 @ 0x404f86 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 a17cabe825146446a80fc4ab7b92963d+0x1486 @ 0x401486 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637128 registers.edi: 8855048 registers.eax: 4226328 registers.ebp: 1637396 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 9452528 registers.ecx: 8847360 exception.instruction_r: ee e9 d4 f0 ff ff e9 7d e8 ff ff 51 e8 16 ed ff exception.instruction: out dx, al exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x8718ce	success
1619781456.87525 __exception__	stacktrace: a17cabe825146446a80fc4ab7b92963d+0x4f86 @ 0x404f86 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 a17cabe825146446a80fc4ab7b92963d+0x1486 @ 0x401486 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637128 registers.edi: 8851584 registers.eax: 4226328 registers.ebp: 1637396 registers.edx: 1637352 registers.ebx: 8847667 registers.esi: 9452528 registers.ecx: 8847360 exception.instruction_r: 6c e9 fc f8 ff ff e9 3d ff ff ff 59 5d e9 8a fa exception.instruction: insb byte ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x8707bf	success
1619781456.87525 __exception__	stacktrace: a17cabe825146446a80fc4ab7b92963d+0x4f86 @ 0x404f86 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 a17cabe825146446a80fc4ab7b92963d+0x1486 @ 0x401486 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637140 registers.edi: 8851750 registers.eax: 4226328 registers.ebp: 1637396 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 9452528 registers.ecx: 8847360 exception.instruction_r: 6e 1a b7 aa f8 77 00 5f ca 6a 58 92 dd a7 12 08 exception.instruction: outsb dx, byte ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x8710e6	success
1619781456.87525 __exception__	stacktrace: RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x77d76a8b New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x7460482b KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x77d40143 a17cabe825146446a80fc4ab7b92963d+0x4f86 @ 0x404f86 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 a17cabe825146446a80fc4ab7b92963d+0x1486 @ 0x401486 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1635336 registers.edi: 8853901 registers.eax: 4294967279 registers.ebp: 1635400 registers.edx: 2010606285 registers.ebx: 0 registers.esi: 0 registers.ecx: 8851750 exception.instruction_r: cf e9 5a f9 ff ff b9 16 12 00 00 e9 98 e9 ff ff exception.instruction: iretd exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x871d5f	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1633516 registers.edi: 0 registers.eax: 0 registers.ebp: 1634212 registers.edx: 521299838 registers.ebx: 8849478 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 6d bf e9 e2 4a 21 64 df 3e 4b 96 82 2c 47 67 f4 exception.instruction: insd dword ptr es:[edi], dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x8707f5	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8851584 registers.eax: 4226328 registers.ebp: 8850643 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 9452528 registers.ecx: 8847360 exception.instruction_r: ed 80 72 76 4d 3a 62 d1 ba f7 6f 6a c8 2e 85 7a exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x871f62	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1635352 registers.edi: 0 registers.eax: 184 registers.ebp: 8854359 registers.edx: 2010606285 registers.ebx: 0 registers.esi: 0 registers.ecx: 4294966110 exception.instruction_r: 6f e9 66 1a 00 00 53 e9 e2 1a 00 00 e9 c8 01 00 exception.instruction: outsd dx, dword ptr [esi] exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870094	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855689 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 1399395263 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855693 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2320404936 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855697 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 1950901687 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855701 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3755683344 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855705 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 1205598511 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855709 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 1723981016 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855713 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2888402471 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855717 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 4097648160 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855721 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3200533663 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855725 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2767065576 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855729 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 1413803159 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855733 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2275682352 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855737 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2839655951 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855741 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2728751352 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855745 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2227591431 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855749 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 1534489664 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855753 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2219576703 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855757 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3374463496 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855761 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3375467383 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855765 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 4177676880 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855769 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3216181999 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855773 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2919673112 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855777 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 929186791 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855781 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2726160992 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855785 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2233364063 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855789 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3562867240 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855793 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3867951703 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855797 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3825702000 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855801 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3742234575 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855805 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 228036920 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855809 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3325773511 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855813 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3299182720 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855817 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 1071212351 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855821 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2056290888 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855825 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 3578990903 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success
1619781456.87525 __exception__	stacktrace: registers.esp: 1637156 registers.edi: 8855829 registers.eax: 4226328 registers.ebp: 8848700 registers.edx: 1637352 registers.ebx: 1923204860 registers.esi: 2537948816 registers.ecx: 8847360 exception.instruction_r: 0f 08 40 b7 d2 4d 42 12 3a cf 30 0f 57 11 9d 3c exception.instruction: invd exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x870519	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 139 个事件)

Time & API	Arguments	Status
1619781456.75025 NtAllocateVirtualMemory	process_identifier: 284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00800000	success
1619781456.75025 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619781456.87525 NtAllocateVirtualMemory	process_identifier: 284 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00870000	success
1619805506.237499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00460000	success
1619805506.237499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d4f000	success
1619805506.753499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619805506.972499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02b70000	success
1619805506.972499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02d00000	success
1619805509.050499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73801000	success
1619805509.050499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73741000	success
1619805509.065499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02f00000	success
1619805509.065499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03090000	success
1619805509.128499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73801000	success
1619805509.206499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02a10000	success
1619805509.206499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b10000	success
1619805509.206499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0067a000	success
1619805509.206499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73802000	success
1619805509.206499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00672000	success
1619805509.472499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00682000	success
1619805509.534499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a5000	success
1619805509.534499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ab000	success
1619805509.534499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a7000	success
1619805509.675499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73731000	success
1619805510.378499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00683000	success
1619805510.503499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75061000	success
1619805510.534499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00684000	success
1619805510.581499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0068c000	success
1619805510.643499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02af0000	success
1619805510.643499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b70000	success
1619805510.643499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b71000	success
1619805510.659499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00687000	success
1619805511.456499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00688000	success
1619805511.565499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00696000	success
1619805512.347499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03091000	success
1619805513.237499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x736b1000	success
1619805513.284499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0069a000	success
1619805513.284499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00697000	success
1619805513.550499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b0000	success
1619805513.909499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b1000	success
1619805514.550499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b2000	success
1619805515.409499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b82000	success
1619805516.253499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b3000	success
1619805516.253499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b83000	success
1619805516.268499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75011000	success
1619805516.581499 NtProtectVirtualMemory	process_identifier: 376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x703c1000	success
1619805516.753499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b4000	success
1619805516.784499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02b84000	success
1619805516.956499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b5000	success
1619805517.143499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b6000	success
1619805517.143499 NtAllocateVirtualMemory	process_identifier: 376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0068d000	success

Steals private information from local Internet browsers (7 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619805558.284499 CreateProcessInternalW	thread_identifier: 3196 thread_handle: 0x0000045c process_identifier: 3192 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000468 inherit_handles: 1	success	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781456.50025 NtProtectVirtualMemory	process_identifier: 284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x007d0000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.9063773278709215

section

{'size_of_data': '0x00046000', 'virtual_address': '0x00001000', 'entropy': 7.9063773278709215, 'name': '.text', 'virtual_size': '0x0004565c'}

description

A section with a high entropy has been found

entropy

0.9210526315789473

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619805515.878499 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

"netsh" wlan show profile

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: d83241829bb7bc2278e25759f07a9fff1f97723a

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

A process attempted to delay the analysis task. (1 个事件)

description

RegAsm.exe tried to sleep 2728289 seconds, actually delayed analysis time by 2728289 seconds

Harvests credentials from local FTP client softwares (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Harvests credentials from local email clients (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 284 called NtSetContextThread to modify thread in remote process 376
1619781458.00025 NtSetContextThread	thread_handle: 0x00000150 registers.eip: 4530176 registers.esp: 4127732 registers.edi: 0 registers.eax: 4507806 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2010382788 process_identifier: 376	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 284 resumed a thread in remote process 376
1619781458.04725 NtResumeThread	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 376	success	0	0

Executed a process and injected code into it, probably while unpacking (17 个事件)

Time & API	Arguments	Status	Return
1619781457.98425 CreateProcessInternalW	thread_identifier: 2056 thread_handle: 0x00000150 process_identifier: 376 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000154 inherit_handles: 0	success	1
1619781457.98425 NtGetContextThread	thread_handle: 0x00000150	success	0
1619781457.98425 NtUnmapViewOfSection	process_identifier: 376 region_size: 13303808 process_handle: 0x00000154 base_address: 0x00400000	failed	3221225497
1619781457.98425 NtMapViewOfSection	section_handle: 0x000000e0 process_identifier: 376 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000154 allocation_type: 0 () section_offset: 0 view_size: 352256 base_address: 0x00400000	success	0
1619781458.00025 NtSetContextThread	thread_handle: 0x00000150 registers.eip: 4530176 registers.esp: 4127732 registers.edi: 0 registers.eax: 4507806 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2010382788 process_identifier: 376	success	0
1619781458.04725 NtResumeThread	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 376	success	0
1619805509.206499 NtResumeThread	thread_handle: 0x00000174 suspend_count: 1 process_identifier: 376	success	0
1619805509.222499 NtResumeThread	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 376	success	0
1619805509.222499 NtResumeThread	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 376	success	0
1619805518.784499 NtResumeThread	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 376	success	0
1619805518.862499 NtResumeThread	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 376	success	0
1619805521.425499 NtResumeThread	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 376	success	0
1619805527.972499 NtResumeThread	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 376	success	0
1619805558.284499 CreateProcessInternalW	thread_identifier: 3196 thread_handle: 0x0000045c process_identifier: 3192 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000468 inherit_handles: 1	success	1
1619805562.018499 NtResumeThread	thread_handle: 0x00000474 suspend_count: 1 process_identifier: 376	success	0
1619805563.253499 NtResumeThread	thread_handle: 0x0000048c suspend_count: 1 process_identifier: 376	success	0
1619805559.643876 NtResumeThread	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 3192	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Razy.670925
Qihoo-360	Win32/TrojanSpy.AgentTesla.HxQBn54A
ALYac	Gen:Variant.Razy.670925
Cylance	Unsafe
Zillya	Trojan.Injector.Win32.740116
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_80% (D)
Alibaba	TrojanPSW:MSIL/Agensla.36127cc2
K7GW	Trojan ( 00566eaf1 )
K7AntiVirus	Trojan ( 00566eaf1 )
Arcabit	Trojan.Razy.DA3CCD
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Malware.Agent-7846401-0
Kaspersky	Trojan-PSW.MSIL.Agensla.qzf
BitDefender	Gen:Variant.Razy.670925
Paloalto	generic.ml
Tencent	Msil.Trojan-qqpass.Qqrob.Lknk
Ad-Aware	Gen:Variant.Razy.670925
Emsisoft	Gen:Variant.Razy.670925 (B)
Comodo	Malware@#30iq9f1pfw3q7
F-Secure	Trojan.TR/AD.AgentTesla.ncskk
DrWeb	Trojan.PWS.Siggen2.49044
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
FireEye	Generic.mg.a17cabe825146446
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Krypt
Jiangmin	Heur:Trojan/AntiVM
Webroot	W32.Trojan.Gen
Avira	TR/AD.AgentTesla.ncskk
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Gridinsoft	Trojan.Win32.Keylogger.ba
Microsoft	Trojan:Win32/Occamy.CB5
ZoneAlarm	Trojan-PSW.MSIL.Agensla.qzf
GData	Gen:Variant.Razy.670925
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Kryptik.R336922
McAfee	Artemis!A17CABE82514
MAX	malware (ai score=81)
VBA32	TrojanPSW.MSIL.Agensla
Malwarebytes	Spyware.KeyLogger
ESET-NOD32	a variant of Win32/Injector.EMKM
Rising	Exploit.Shellcode!8.2A (TFE:dGZlOgQ2IazfkMYQ0w)
Yandex	Trojan.Igent.bTLlBh.49
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_91%

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-18 05:07:22

Imports

Library MSVBVM60.DLL:

• 0x401000 __vbaVarSub

• 0x401004 _CIcos

• 0x401008 _adj_fptan

• 0x40100c __vbaVarMove

• 0x401010 __vbaAryMove

• 0x401014 __vbaFreeVar

• 0x401018 __vbaStrVarMove

• 0x40101c __vbaFreeVarList

• 0x401020 _adj_fdiv_m64

• 0x401024

• 0x401028 __vbaStrErrVarCopy

• 0x40102c _adj_fprem1

• 0x401030 __vbaVarCmpNe

• 0x401034 __vbaStrCat

• 0x401038 __vbaHresultCheckObj

• 0x40103c __vbaLenVar

• 0x401040 _adj_fdiv_m32

• 0x401044 __vbaAryDestruct

• 0x401048 __vbaExitProc

• 0x40104c __vbaVarForInit

• 0x401050 __vbaOnError

• 0x401054 __vbaObjSet

• 0x401058

• 0x40105c _adj_fdiv_m16i

• 0x401060 __vbaObjSetAddref

• 0x401064 _adj_fdivr_m16i

• 0x401068 __vbaBoolVarNull

• 0x40106c _CIsin

• 0x401070 __vbaErase

• 0x401074 __vbaVarZero

• 0x401078 __vbaChkstk

• 0x40107c

• 0x401080 EVENT_SINK_AddRef

• 0x401084

• 0x401088 __vbaAryConstruct2

• 0x40108c __vbaVarTstEq

• 0x401090 __vbaCyI4

• 0x401094 __vbaVarLikeVar

• 0x401098 __vbaVarOr

• 0x40109c __vbaRedimPreserve

• 0x4010a0 _adj_fpatan

• 0x4010a4 __vbaRedim

• 0x4010a8 EVENT_SINK_Release

• 0x4010ac _CIsqrt

• 0x4010b0 EVENT_SINK_QueryInterface

• 0x4010b4 __vbaExceptHandler

• 0x4010b8 _adj_fprem

• 0x4010bc _adj_fdivr_m64

• 0x4010c0 __vbaFPException

• 0x4010c4 __vbaUbound

• 0x4010c8 __vbaStrVarVal

• 0x4010cc __vbaVarCat

• 0x4010d0

• 0x4010d4 _CIlog

• 0x4010d8 _adj_fdiv_m32i

• 0x4010dc _adj_fdivr_m32i

• 0x4010e0 __vbaStrCopy

• 0x4010e4 __vbaFreeStrList

• 0x4010e8 _adj_fdivr_m32

• 0x4010ec _adj_fdiv_r

• 0x4010f0

• 0x4010f4 __vbaVarTstNe

• 0x4010f8 __vbaI4Var

• 0x4010fc __vbaAryLock

• 0x401100 __vbaVarDup

• 0x401104 __vbaVarCopy

• 0x401108

• 0x40110c _CIatan

• 0x401110 __vbaCastObj

• 0x401114 __vbaStrMove

• 0x401118 _allmul

• 0x40111c __vbaLenVarB

• 0x401120 _CItan

• 0x401124 __vbaAryUnlock

• 0x401128 __vbaVarForNext

• 0x40112c _CIexp

• 0x401130 __vbaI4ErrVar

• 0x401134 __vbaFreeObj

• 0x401138 __vbaFreeStr

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51379	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.