SmartHawk

8.8

极危

63 个模型检测该样本为恶意！

重新分析

下载样本

9d85a0de0623aa8d4a2b1c5887cc18a77c9482115acb71a12b7a54fe186c5484

a3a32fd6f454764eaf03dc072873512c.exe

分析耗时

93s

最近分析

文件大小

946.1KB

静态报毒动态报毒 100% 7Y2AAQIRKNMI AGENERIC AI SCORE=100 AIDETECTVM CLASSIC COBRA COC@52VN2U CONFIDENCE CXHRX EACWW ELDORADO GENERICKD GENETIC HA190043 HIGH CONFIDENCE HKOPRU KCLOUD KVMH008 L6P7 LMKH MALICIOUS PE MALWARE1 QUHM9DRKW R + MAL REMTASU SCORE STATIC AI STRICTOR THEMIDA UNSAFE UVPM VIRTUMOD XRAT XTRAT XTREME XTREMERAT ZEXAF ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Backdoor:Win32/Xtrat.d9fc6dfd	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201210	21.1.5827.0
Tencent	Win32.Trojan.Generic.Lmkh	20201211	1.0.0.1
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)	20201211	2017.9.26.565
McAfee	Packed-ZO!A3A32FD6F454	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Checks if process is being debugged by a debugger (31 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781454.265375 IsDebuggerPresent		failed	0	0
1619781456.109375 IsDebuggerPresent		failed	0	0
1619781458.124375 IsDebuggerPresent		failed	0	0
1619781460.140375 IsDebuggerPresent		failed	0	0
1619781462.156375 IsDebuggerPresent		failed	0	0
1619781464.171375 IsDebuggerPresent		failed	0	0
1619781466.187375 IsDebuggerPresent		failed	0	0
1619781468.203375 IsDebuggerPresent		failed	0	0
1619781470.218375 IsDebuggerPresent		failed	0	0
1619781472.234375 IsDebuggerPresent		failed	0	0
1619781474.249375 IsDebuggerPresent		failed	0	0
1619781476.265375 IsDebuggerPresent		failed	0	0
1619781478.281375 IsDebuggerPresent		failed	0	0
1619781480.296375 IsDebuggerPresent		failed	0	0
1619781482.312375 IsDebuggerPresent		failed	0	0
1619781484.328375 IsDebuggerPresent		failed	0	0
1619781486.343375 IsDebuggerPresent		failed	0	0
1619781488.359375 IsDebuggerPresent		failed	0	0
1619781490.374375 IsDebuggerPresent		failed	0	0
1619781492.390375 IsDebuggerPresent		failed	0	0
1619781494.406375 IsDebuggerPresent		failed	0	0
1619781496.421375 IsDebuggerPresent		failed	0	0
1619781498.437375 IsDebuggerPresent		failed	0	0
1619781500.453375 IsDebuggerPresent		failed	0	0
1619781502.468375 IsDebuggerPresent		failed	0	0
1619781504.484375 IsDebuggerPresent		failed	0	0
1619781506.499375 IsDebuggerPresent		failed	0	0
1619781508.515375 IsDebuggerPresent		failed	0	0
1619781510.531375 IsDebuggerPresent		failed	0	0
1619781512.546375 IsDebuggerPresent		failed	0	0
1619781514.562375 IsDebuggerPresent		failed	0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	nhgxrnnn
section	zgwhklkc

One or more processes crashed (50 out of 119 个事件)

Time & API	Arguments	Status
1619781453.484375 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1638276 registers.edi: 0 registers.eax: 1 registers.ebp: 1638292 registers.edx: 6262784 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x12e0c9 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 1237193 exception.address: 0x52e0c9	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4445554 registers.eax: 25691 registers.ebp: 4117737492 registers.edx: 1910749778 registers.ebx: 0 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb e9 d7 fe ff ff 81 c5 04 00 00 00 81 ed 04 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x3ce6b exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 249451 exception.address: 0x43ce6b	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4445554 registers.eax: 26092 registers.ebp: 4117737492 registers.edx: 4472104 registers.ebx: 0 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb 51 e9 5e ff ff ff 56 55 bd b4 03 6b 1e 89 ee exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x3d840 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 251968 exception.address: 0x43d840	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4445554 registers.eax: 223465 registers.ebp: 4117737492 registers.edx: 4448476 registers.ebx: 0 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb 83 ec 04 e9 42 fd ff ff 8b 04 24 81 c4 04 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x3dd35 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 253237 exception.address: 0x43dd35	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638240 registers.edi: 4445554 registers.eax: 4708907 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 31719908 registers.esi: 3 registers.ecx: 484 exception.instruction_r: fb 53 bb e3 50 b2 59 01 d8 5b 55 e9 c7 fc ff ff exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x7e03d exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 516157 exception.address: 0x47e03d	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4445554 registers.eax: 4712227 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 3 registers.ecx: 432617 exception.instruction_r: fb 68 71 36 00 00 89 3c 24 68 cb 6f 2c 10 e9 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x7dc84 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 515204 exception.address: 0x47dc84	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 199913 registers.eax: 26616 registers.ebp: 4117737492 registers.edx: 4745815 registers.ebx: 4714675 registers.esi: 1164460653 registers.ecx: 4294943196 exception.instruction_r: fb e9 95 02 00 00 89 1c 24 54 5b 81 c3 04 00 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x8058b exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 525707 exception.address: 0x48058b	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638240 registers.edi: 3026442 registers.eax: 31313 registers.ebp: 4117737492 registers.edx: 4724160 registers.ebx: 4714675 registers.esi: 1164460653 registers.ecx: 0 exception.instruction_r: fb 57 bf 2b 2d ad 5a e9 c3 01 00 00 ba 00 00 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x818fb exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 530683 exception.address: 0x4818fb	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 3026442 registers.eax: 31313 registers.ebp: 4117737492 registers.edx: 4755473 registers.ebx: 4714675 registers.esi: 1164460653 registers.ecx: 0 exception.instruction_r: fb 52 50 68 cc 4b 03 0f 58 25 14 72 b5 1f 25 90 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x81d97 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 531863 exception.address: 0x481d97	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 3026442 registers.eax: 134889 registers.ebp: 4117737492 registers.edx: 4755473 registers.ebx: 4294939020 registers.esi: 1164460653 registers.ecx: 0 exception.instruction_r: fb e9 ab fb ff ff 89 e0 e9 b5 f8 ff ff 81 c4 04 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x82118 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 532760 exception.address: 0x482118	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 3026442 registers.eax: 1447909480 registers.ebp: 4117737492 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 4748130 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 ee 0f 00 00 52 ba 01 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x8793f exception.instruction: in eax, dx exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 555327 exception.address: 0x48793f	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 3026442 registers.eax: 1 registers.ebp: 4117737492 registers.edx: 22104 registers.ebx: 0 registers.esi: 4748130 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x8b189 exception.address: 0x48b189 exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc000001d exception.offset: 569737	success
1619781453.484375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 3026442 registers.eax: 1447909480 registers.ebp: 4117737492 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 4748130 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 1d 31 d4 0a 01 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x87c7b exception.instruction: in eax, dx exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 556155 exception.address: 0x487c7b	success
1619781453.781375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4294939076 registers.eax: 31687 registers.ebp: 4117737492 registers.edx: 233396064 registers.ebx: 4807049 registers.esi: 10 registers.ecx: 3879993344 exception.instruction_r: fb 50 89 2c 24 e9 01 f9 ff ff 81 c7 04 00 00 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x8e57a exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 583034 exception.address: 0x48e57a	success
1619781453.781375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 1638204 registers.ebp: 4117737492 registers.edx: 0 registers.ebx: 4779724 registers.esi: 4779063 registers.ecx: 4779063 exception.instruction_r: cd 01 eb 00 6a 00 57 e8 03 00 00 00 20 5f c3 5f exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x8ed4f exception.instruction: int 1 exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000005 exception.offset: 585039 exception.address: 0x48ed4f	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638240 registers.edi: 4439822 registers.eax: 26899 registers.ebp: 4117737492 registers.edx: 6 registers.ebx: 14497299 registers.esi: 4820453 registers.ecx: 0 exception.instruction_r: fb e9 a5 09 00 00 29 f0 e9 51 ff ff ff 31 34 24 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x98ea6 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 626342 exception.address: 0x498ea6	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4439822 registers.eax: 26899 registers.ebp: 4117737492 registers.edx: 6 registers.ebx: 14497299 registers.esi: 4847352 registers.ecx: 0 exception.instruction_r: fb 57 50 b8 97 21 6f 5e c1 e0 03 35 1f 7f 3d a9 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9966b exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 628331 exception.address: 0x49966b	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4439822 registers.eax: 26899 registers.ebp: 4117737492 registers.edx: 539625 registers.ebx: 14497299 registers.esi: 4823220 registers.ecx: 0 exception.instruction_r: fb 68 a2 23 00 00 e9 f1 f9 ff ff 81 f7 49 04 1d exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9957f exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 628095 exception.address: 0x49957f	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4439822 registers.eax: 31495 registers.ebp: 4117737492 registers.edx: 4871048 registers.ebx: 14497299 registers.esi: 4823220 registers.ecx: 539625 exception.instruction_r: fb 68 00 00 00 00 ff 34 24 ff 34 24 e9 50 00 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9e312 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 647954 exception.address: 0x49e312	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4122962 registers.eax: 31495 registers.ebp: 4117737492 registers.edx: 4871048 registers.ebx: 4294938776 registers.esi: 4823220 registers.ecx: 539625 exception.instruction_r: fb 68 cb 66 00 00 e9 6a fd ff ff be 04 00 00 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9e10e exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 647438 exception.address: 0x49e10e	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638232 registers.edi: 4122962 registers.eax: 28438 registers.ebp: 4117737492 registers.edx: 4842771 registers.ebx: 4294938776 registers.esi: 4823220 registers.ecx: 539625 exception.instruction_r: fb 50 51 b9 e0 70 6e 4c 89 c8 59 c1 e0 02 55 50 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9ed62 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 650594 exception.address: 0x49ed62	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4122962 registers.eax: 28438 registers.ebp: 4117737492 registers.edx: 4871209 registers.ebx: 4294938776 registers.esi: 4823220 registers.ecx: 539625 exception.instruction_r: fb 68 d7 18 00 00 ff 34 24 ff 34 24 8b 0c 24 51 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9e752 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 649042 exception.address: 0x49e752	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 82608469 registers.eax: 28438 registers.ebp: 4117737492 registers.edx: 4845773 registers.ebx: 4294938776 registers.esi: 4823220 registers.ecx: 0 exception.instruction_r: fb 57 bf 97 50 77 57 55 68 57 78 88 40 8b 2c 24 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9edd7 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 650711 exception.address: 0x49edd7	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638232 registers.edi: 82608469 registers.eax: 4846251 registers.ebp: 4117737492 registers.edx: 4845773 registers.ebx: 123136138 registers.esi: 4823220 registers.ecx: 2011404426 exception.instruction_r: fb 2d 96 0d 93 13 05 3c 45 c3 19 2d 61 1a 03 49 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9f3be exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 652222 exception.address: 0x49f3be	success
1619781454.078375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 0 registers.eax: 4849060 registers.ebp: 4117737492 registers.edx: 4845773 registers.ebx: 123136138 registers.esi: 66281 registers.ecx: 2011404426 exception.instruction_r: fb 50 e9 a3 fc ff ff 81 c6 04 00 00 00 e9 76 fd exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x9f9b4 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 653748 exception.address: 0x49f9b4	success
1619781454.093375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 1166475412 registers.eax: 30428 registers.ebp: 4117737492 registers.edx: 1723711319 registers.ebx: 4924131 registers.esi: 45225 registers.ecx: 3879993344 exception.instruction_r: fb 31 d2 e9 dd fd ff ff 5a 5a 68 9d 7d 00 00 89 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xab357 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 701271 exception.address: 0x4ab357	success
1619781454.109375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 1166475412 registers.eax: 30428 registers.ebp: 4117737492 registers.edx: 4294939356 registers.ebx: 4924131 registers.esi: 45225 registers.ecx: 116969 exception.instruction_r: fb 68 72 4a 92 33 ff 34 24 e9 ad 03 00 00 55 52 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xaad61 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 699745 exception.address: 0x4aad61	success
1619781454.109375 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 4970631 registers.eax: 29209 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 4096 registers.esi: 4974378 registers.ecx: 2135536034 exception.instruction_r: fb 81 ef ec 0f 12 56 81 ec 04 00 00 00 89 1c 24 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xbe31f exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 779039 exception.address: 0x4be31f	success
1619781454.109375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4999840 registers.eax: 29209 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 4096 registers.esi: 4974378 registers.ecx: 2135536034 exception.instruction_r: fb 68 1a 5e 00 00 89 14 24 e9 4e 03 00 00 5d e9 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xbdb19 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 776985 exception.address: 0x4bdb19	success
1619781454.109375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4973944 registers.eax: 2041757270 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 4974378 registers.ecx: 2135536034 exception.instruction_r: fb 50 52 ba 46 61 8c 63 81 f2 a2 02 1c 7e 81 ca exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xbe0d6 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 778454 exception.address: 0x4be0d6	success
1619781454.109375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4973944 registers.eax: 32055 registers.ebp: 4117737492 registers.edx: 2033719911 registers.ebx: 0 registers.esi: 5006283 registers.ecx: 322094082 exception.instruction_r: fb 29 c9 ff 34 31 e9 60 00 00 00 bf 14 1a f7 66 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xbef2a exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 782122 exception.address: 0x4bef2a	success
1619781454.109375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4973944 registers.eax: 1133481357 registers.ebp: 4117737492 registers.edx: 2033719911 registers.ebx: 0 registers.esi: 5006283 registers.ecx: 4294938244 exception.instruction_r: fb 50 89 e0 56 e9 2e 01 00 00 51 b9 ab 03 af 38 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xbe746 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 780102 exception.address: 0x4be746	success
1619781454.109375 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 4979784 registers.eax: 25721 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 35328 registers.esi: 5006283 registers.ecx: 2005871740 exception.instruction_r: fb 53 55 bd 51 72 50 0d bb 1a bd 0a 4d 29 eb 5d exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xbfe47 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 785991 exception.address: 0x4bfe47	success
1619781454.109375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5005505 registers.eax: 25721 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 4294943980 registers.esi: 5006283 registers.ecx: 1452182925 exception.instruction_r: fb e9 1b f8 ff ff 89 3c 24 89 14 24 89 e2 81 c2 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc050a exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 787722 exception.address: 0x4c050a	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 4996279 registers.ebp: 4117737492 registers.edx: 2130378752 registers.ebx: 65802 registers.esi: 6650667 registers.ecx: 856006029 exception.instruction_r: fb 68 79 52 00 00 e9 96 fd ff ff 8b 14 24 51 54 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc3ab9 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 801465 exception.address: 0x4c3ab9	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 0 registers.eax: 30472 registers.ebp: 4117737492 registers.edx: 2130378752 registers.ebx: 4449049 registers.esi: 5002169 registers.ecx: 856006029 exception.instruction_r: fb 81 ee 26 3c d4 76 52 ba b1 67 53 60 29 d6 8b exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc5acc exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 809676 exception.address: 0x4c5acc	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 30472 registers.ebp: 4117737492 registers.edx: 2130378752 registers.ebx: 4449049 registers.esi: 5032641 registers.ecx: 856006029 exception.instruction_r: fb 31 c9 ff 34 31 8b 1c 24 68 88 41 00 00 89 34 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc5c5e exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 810078 exception.address: 0x4c5c5e	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 30472 registers.ebp: 4117737492 registers.edx: 2130378752 registers.ebx: 71913 registers.esi: 5032641 registers.ecx: 4294939440 exception.instruction_r: fb 68 c4 d2 97 24 ff 34 24 5b 53 e9 1d 03 00 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc586b exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 809067 exception.address: 0x4c586b	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5041433 registers.eax: 29096 registers.ebp: 4117737492 registers.edx: 4294940772 registers.ebx: 18938888 registers.esi: 3508629276 registers.ecx: 7849576 exception.instruction_r: fb e9 d8 fd ff ff 55 bd 0b 08 01 00 29 ef 5d 89 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc8146 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 819526 exception.address: 0x4c8146	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5041433 registers.eax: 30662 registers.ebp: 4117737492 registers.edx: 122904761 registers.ebx: 113530218 registers.esi: 5045811 registers.ecx: 7849576 exception.instruction_r: fb 29 d2 ff 34 32 e9 18 f8 ff ff 5c 81 ec 04 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc8fc4 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 823236 exception.address: 0x4c8fc4	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5041433 registers.eax: 30662 registers.ebp: 4117737492 registers.edx: 4294939312 registers.ebx: 3880522344 registers.esi: 5045811 registers.ecx: 7849576 exception.instruction_r: fb 68 4d df 03 7d ff 34 24 e9 e6 fc ff ff 29 d5 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc9071 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 823409 exception.address: 0x4c9071	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5041433 registers.eax: 29083 registers.ebp: 4117737492 registers.edx: 58795849 registers.ebx: 1266390024 registers.esi: 5047126 registers.ecx: 7849576 exception.instruction_r: fb 31 c0 ff 34 06 e9 b3 ff ff ff 81 c4 04 00 00 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc9665 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 824933 exception.address: 0x4c9665	success
1619781454.124375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 26857 registers.eax: 4294940548 registers.ebp: 4117737492 registers.edx: 58795849 registers.ebx: 1266390024 registers.esi: 5047126 registers.ecx: 7849576 exception.instruction_r: fb e9 bd fa ff ff 56 89 e6 e9 74 fb ff ff c1 e6 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xc97d9 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 825305 exception.address: 0x4c97d9	success
1619781454.265375 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 0 registers.eax: 5052046 registers.ebp: 4117737492 registers.edx: 106157268 registers.ebx: 5040800 registers.esi: 7707472 registers.ecx: 33024 exception.instruction_r: fb e9 f6 fc ff ff 2d 31 1f 77 67 01 f8 05 31 1f exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xd1ad1 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 858833 exception.address: 0x4d1ad1	success
1619781454.265375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 5055375 registers.ebp: 4117737492 registers.edx: 0 registers.ebx: 5040800 registers.esi: 9193 registers.ecx: 33024 exception.instruction_r: fb 51 68 b1 15 ac 5c 59 81 e9 01 00 00 00 c1 e1 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xd16d8 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 857816 exception.address: 0x4d16d8	success
1619781454.265375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5059026 registers.eax: 27169 registers.ebp: 4117737492 registers.edx: 582600 registers.ebx: 1 registers.esi: 5067039 registers.ecx: 5093862 exception.instruction_r: fb 29 db 52 89 da 81 c2 00 00 00 00 81 c2 72 74 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xd509f exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 872607 exception.address: 0x4d509f	success
1619781454.265375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5059026 registers.eax: 2892074381 registers.ebp: 4117737492 registers.edx: 582600 registers.ebx: 4294943144 registers.esi: 5067039 registers.ecx: 5093862 exception.instruction_r: fb 68 c5 5e 00 00 89 3c 24 e9 94 01 00 00 8f 04 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xd5344 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 873284 exception.address: 0x4d5344	success
1619781454.296375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4294939812 registers.eax: 5116650 registers.ebp: 4117737492 registers.edx: 322689 registers.ebx: 5077695 registers.esi: 7707472 registers.ecx: 33024 exception.instruction_r: fb 53 e9 71 04 00 00 81 ed 3f 2d 9b 69 01 cd 81 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xd9ce1 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 892129 exception.address: 0x4d9ce1	success
1619781454.296375 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 4294939812 registers.eax: 5089626 registers.ebp: 4117737492 registers.edx: 824085085 registers.ebx: 5077695 registers.esi: 7707472 registers.ecx: 1762159729 exception.instruction_r: fb 51 56 e9 b2 03 00 00 01 f1 5e 53 52 68 66 6b exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xdae4d exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 896589 exception.address: 0x4dae4d	success
1619781454.296375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4294939812 registers.eax: 5119000 registers.ebp: 4117737492 registers.edx: 824085085 registers.ebx: 5077695 registers.esi: 7707472 registers.ecx: 1762159729 exception.instruction_r: fb 68 1f 1a 00 00 ff 34 24 5b 51 89 e1 e9 5f fc exception.symbol: a3a32fd6f454764eaf03dc072873512c+0xdaee9 exception.instruction: sti exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 896745 exception.address: 0x4daee9	success

Allocates read-write-execute memory (usually to unpack itself) (20 个事件)

Time & API	Arguments	Status
1619781454.374375 NtProtectVirtualMemory	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1619781454.374375 NtProtectVirtualMemory	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619781454.874375 NtProtectVirtualMemory	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 94208 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1619781454.953375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x040e0000	success
1619781454.953375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x040f0000	success
1619781454.953375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04100000	success
1619781454.953375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04110000	success
1619781454.953375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04120000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04130000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04140000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04150000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04160000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04170000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04180000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04190000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x041a0000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x041b0000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046d0000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046e0000	success
1619781454.968375 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046f0000	success

A process attempted to delay the analysis task. (1 个事件)

description

a3a32fd6f454764eaf03dc072873512c.exe tried to sleep 540 seconds, actually delayed analysis time by 540 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781455.046375 NtProtectVirtualMemory	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x00760000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)

entropy

7.959736850562741

section

{'size_of_data': '0x00017000', 'virtual_address': '0x00001000', 'entropy': 7.959736850562741, 'name': ' \\x00 ', 'virtual_size': '0x00032000'}

description

A section with a high entropy has been found

entropy

7.523454328130191

section

{'size_of_data': '0x00004000', 'virtual_address': '0x00033000', 'entropy': 7.523454328130191, 'name': '.rsrc', 'virtual_size': '0x00006d4c'}

description

A section with a high entropy has been found

entropy

7.86137014116231

section

{'size_of_data': '0x000cb000', 'virtual_address': '0x0012e000', 'entropy': 7.86137014116231, 'name': 'nhgxrnnn', 'virtual_size': '0x000cb000'}

description

A section with a high entropy has been found

entropy

0.9871244635193133

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

system

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.41.65

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 185 个事件)

Time & API	Arguments	Status
1619781454.156375 FindWindowA	class_name: OLLYDBG window_name:	failed
1619781454.156375 FindWindowA	class_name: GBDYLLO window_name:	failed
1619781454.156375 FindWindowA	class_name: pediy06 window_name:	failed
1619781454.281375 FindWindowA	class_name: FilemonClass window_name:	failed
1619781454.281375 FindWindowA	class_name: FilemonClass window_name:	failed
1619781454.281375 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1619781454.281375 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781454.281375 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1619781454.312375 FindWindowA	class_name: RegmonClass window_name:	failed
1619781454.312375 FindWindowA	class_name: RegmonClass window_name:	failed
1619781454.312375 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1619781454.312375 FindWindowA	class_name: 18467-41 window_name:	failed
1619781454.874375 FindWindowA	class_name: FilemonClass window_name:	failed
1619781454.874375 FindWindowA	class_name: FilemonClass window_name:	failed
1619781454.874375 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1619781454.874375 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781454.874375 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1619781456.109375 FindWindowA	class_name: OLLYDBG window_name:	failed
1619781456.109375 FindWindowA	class_name: GBDYLLO window_name:	failed
1619781456.109375 FindWindowA	class_name: pediy06 window_name:	failed
1619781458.124375 FindWindowA	class_name: OLLYDBG window_name:	failed
1619781458.124375 FindWindowA	class_name: GBDYLLO window_name:	failed
1619781458.124375 FindWindowA	class_name: pediy06 window_name:	failed
1619781458.937375 FindWindowA	class_name: Regmonclass window_name:	failed
1619781458.937375 FindWindowA	class_name: Regmonclass window_name:	failed
1619781459.249375 FindWindowA	class_name: 18467-41 window_name:	failed
1619781459.562375 FindWindowA	class_name: Filemonclass window_name:	failed
1619781459.562375 FindWindowA	class_name: Filemonclass window_name:	failed
1619781459.562375 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781460.140375 FindWindowA	class_name: OLLYDBG window_name:	failed
1619781460.140375 FindWindowA	class_name: GBDYLLO window_name:	failed
1619781460.140375 FindWindowA	class_name: pediy06 window_name:	failed
1619781462.156375 FindWindowA	class_name: OLLYDBG window_name:	failed
1619781462.156375 FindWindowA	class_name: GBDYLLO window_name:	failed
1619781462.156375 FindWindowA	class_name: pediy06 window_name:	failed
1619781463.562375 FindWindowA	class_name: Regmonclass window_name:	failed
1619781463.562375 FindWindowA	class_name: Regmonclass window_name:	failed
1619781463.874375 FindWindowA	class_name: 18467-41 window_name:	failed
1619781464.171375 FindWindowA	class_name: OLLYDBG window_name:	failed
1619781464.171375 FindWindowA	class_name: GBDYLLO window_name:	failed
1619781464.171375 FindWindowA	class_name: pediy06 window_name:	failed
1619781464.187375 FindWindowA	class_name: Filemonclass window_name:	failed
1619781464.187375 FindWindowA	class_name: Filemonclass window_name:	failed
1619781464.187375 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619781466.187375 FindWindowA	class_name: OLLYDBG window_name:	failed
1619781466.187375 FindWindowA	class_name: GBDYLLO window_name:	failed
1619781466.187375 FindWindowA	class_name: pediy06 window_name:	failed
1619781468.187375 FindWindowA	class_name: Regmonclass window_name:	failed
1619781468.187375 FindWindowA	class_name: Regmonclass window_name:	failed
1619781468.203375 FindWindowA	class_name: OLLYDBG window_name:	failed

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781453.484375 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 3026442 registers.eax: 1447909480 registers.ebp: 4117737492 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 4748130 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 ee 0f 00 00 52 ba 01 exception.symbol: a3a32fd6f454764eaf03dc072873512c+0x8793f exception.instruction: in eax, dx exception.module: a3a32fd6f454764eaf03dc072873512c.exe exception.exception_code: 0xc0000096 exception.offset: 555327 exception.address: 0x48793f	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.40650649
CAT-QuickHeal	Trojan.Generic
ALYac	Trojan.GenericKD.40650649
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic.pak!cobra
SUPERAntiSpyware	Trojan.Agent/Gen-Zusy
Sangfor	Malware
K7AntiVirus	Trojan ( 005464661 )
Alibaba	Backdoor:Win32/Xtrat.d9fc6dfd
K7GW	Trojan ( 005464661 )
Cybereason	malicious.6f4547
Arcabit	Trojan.Generic.D26C4799
Cyren	W32/Zusy.BU.gen!Eldorado
Symantec	SMG.Heur!gen
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Zusy-6622765-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.40650649
NANO-Antivirus	Trojan.Win32.Virtumod.hkopru
Paloalto	generic.ml
AegisLab	Trojan.Win32.Injector.l6p7
Tencent	Win32.Trojan.Generic.Lmkh
Ad-Aware	Trojan.GenericKD.40650649
Sophos	Mal/Generic-R + Mal/Agent-ATJ
Comodo	TrojWare.Win32.Agent.COC@52vn2u
F-Secure	Trojan.TR/AD.XtremeRAT.cxhrx
DrWeb	Trojan.Virtumod.11842
Zillya	Trojan.Packed.Win32.124354
TrendMicro	TROJ_STRICTOR_HA190043.UVPM
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
FireEye	Generic.mg.a3a32fd6f454764e
Emsisoft	Trojan.GenericKD.40650649 (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Generic.eacww
Avira	TR/AD.XtremeRAT.cxhrx
Antiy-AVL	Trojan/Win32.AGeneric
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.bot!s1
Microsoft	Backdoor:Win32/Xtrat
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Win32.Backdoor.XRat.A
Cynet	Malicious (score: 100)
AhnLab-V3	Backdoor/Win32.Xtreme.C2357910
Acronis	suspicious
McAfee	Packed-ZO!A3A32FD6F454
MAX	malware (ai score=100)
VBA32	Backdoor.Xtreme

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.27.142:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2017-09-03 09:10:44

Imports

Library kernel32.dll:

• 0x43a033 lstrcpy

Library comctl32.dll:

• 0x43a03b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 172.217.27.142	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60221	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.