SmartHawk

7.8

高危

51 个模型检测该样本为恶意！

重新分析

下载样本

758c9e9642b467c181548b07d7d47e32e2e37ce7298e0d89674fdbcbe13eb50e

a7c6d51e2d25248a53fbb968015c2fa9.exe

分析耗时

89s

最近分析

文件大小

3.0MB

静态报毒动态报毒 AI SCORE=87 ARDY ARTEMIS ATTRIBUTE AW31JXPWPLK CONFIDENCE CTCHL GENERIC@ML GKR14TUW HIGHCONFIDENCE HLSMOR IDRC KCLOUD KUDJ KVMH008 LORM MALWARE@#ZPGXYQQA705N OCCAMY POSSIBLETHREAT QUASAR R002C0WF420 RDML SCORE STATIC AI STRICTOR SUSGEN SUSPICIOUS PE THEMIDA TSCOPE UNSAFE ZZ6FDAVUEPQZM 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201210	21.1.5827.0
Alibaba	TrojanSpy:MSIL/Quasar.00cab21a	20190527	0.3.0.5
Tencent	Msil.Trojan-spy.Quasar.Lorm	20201211	1.0.0.1
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)	20201211	2017.9.26.565
McAfee	Artemis!A7C6D51E2D25	20201211	6.0.6.653

Checks if process is being debugged by a debugger (40 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826887.196307 IsDebuggerPresent		failed	0	0
1619826887.790307 IsDebuggerPresent		failed	0	0
1619826887.790307 IsDebuggerPresent		failed	0	0
1619826888.087307 IsDebuggerPresent		failed	0	0
1619826890.102307 IsDebuggerPresent		failed	0	0
1619826892.118307 IsDebuggerPresent		failed	0	0
1619826894.133307 IsDebuggerPresent		failed	0	0
1619826896.149307 IsDebuggerPresent		failed	0	0
1619826898.165307 IsDebuggerPresent		failed	0	0
1619826900.180307 IsDebuggerPresent		failed	0	0
1619826902.196307 IsDebuggerPresent		failed	0	0
1619826904.212307 IsDebuggerPresent		failed	0	0
1619826906.227307 IsDebuggerPresent		failed	0	0
1619826908.243307 IsDebuggerPresent		failed	0	0
1619826910.258307 IsDebuggerPresent		failed	0	0
1619826912.274307 IsDebuggerPresent		failed	0	0
1619826914.290307 IsDebuggerPresent		failed	0	0
1619826916.321307 IsDebuggerPresent		failed	0	0
1619826918.352307 IsDebuggerPresent		failed	0	0
1619826920.368307 IsDebuggerPresent		failed	0	0
1619826922.383307 IsDebuggerPresent		failed	0	0
1619826924.399307 IsDebuggerPresent		failed	0	0
1619826926.415307 IsDebuggerPresent		failed	0	0
1619826928.430307 IsDebuggerPresent		failed	0	0
1619826930.446307 IsDebuggerPresent		failed	0	0
1619826932.477307 IsDebuggerPresent		failed	0	0
1619826934.493307 IsDebuggerPresent		failed	0	0
1619826936.508307 IsDebuggerPresent		failed	0	0
1619826938.524307 IsDebuggerPresent		failed	0	0
1619826940.571307 IsDebuggerPresent		failed	0	0
1619826942.587307 IsDebuggerPresent		failed	0	0
1619826944.602307 IsDebuggerPresent		failed	0	0
1619826946.618307 IsDebuggerPresent		failed	0	0
1619826948.633307 IsDebuggerPresent		failed	0	0
1619826950.665307 IsDebuggerPresent		failed	0	0
1619826952.680307 IsDebuggerPresent		failed	0	0
1619826954.712307 IsDebuggerPresent		failed	0	0
1619826956.727307 IsDebuggerPresent		failed	0	0
1619826958.743307 IsDebuggerPresent		failed	0	0
1619826960.790307 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826887.837307 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 个事件)

section	\x00
section	.idata
section	fjktknsc
section	ekjmslxz

One or more processes crashed (50 out of 124 个事件)

Time & API	Arguments	Status
1619826885.618307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 0 registers.eax: 20320256 registers.ebp: 4010827796 registers.edx: 614400 registers.ebx: 20937107 registers.esi: 0 registers.ecx: 614400 exception.instruction_r: 66 81 38 4d 5a 75 0e 0f b7 50 3c 01 c2 81 3a 50 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x979ce exception.instruction: cmp word ptr [eax], 0x5a4d exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000005 exception.offset: 621006 exception.address: 0x13f79ce	success
1619826885.618307 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3865048 registers.edi: 0 registers.eax: 3865064 registers.ebp: 3865064 registers.edx: 3865056 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb 60 bd 14 60 10 ef e9 00 02 00 00 32 c7 6e 00 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x97cc6 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 621766 exception.address: 0x13f7cc6	success
1619826885.618307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 235753 registers.eax: 0 registers.ebp: 4010827796 registers.edx: 3865056 registers.ebx: 2130567168 registers.esi: 20941910 registers.ecx: 0 exception.instruction_r: fb e9 93 fc ff ff 81 c6 48 46 eb 7b 81 ec 04 00 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x9876b exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 624491 exception.address: 0x13f876b	success
1619826885.618307 __exception__	stacktrace: registers.esp: 3865012 registers.edi: 235753 registers.eax: 20943218 registers.ebp: 4010827796 registers.edx: 3865056 registers.ebx: 304695577 registers.esi: 20941910 registers.ecx: 0 exception.instruction_r: fb e9 07 fe ff ff 55 89 04 24 51 b9 7e 2b 97 66 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x99688 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 628360 exception.address: 0x13f9688	success
1619826885.618307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 235753 registers.eax: 20945985 registers.ebp: 4010827796 registers.edx: 1259 registers.ebx: 304695577 registers.esi: 20941910 registers.ecx: 0 exception.instruction_r: fb e9 8e 04 00 00 68 d1 f5 e2 3c 5b e9 28 01 00 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x9951a exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 627994 exception.address: 0x13f951a	success
1619826885.633307 __exception__	stacktrace: registers.esp: 3865012 registers.edi: 20978226 registers.eax: 31645 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 22484966 registers.esi: 22468684 registers.ecx: 619 exception.instruction_r: fb 81 eb 83 c2 ff 4e 03 1c 24 50 c7 04 24 c7 0f exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x211ed9 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2170585 exception.address: 0x1571ed9	success
1619826885.633307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 20978226 registers.eax: 31645 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 22487971 registers.esi: 0 registers.ecx: 801769 exception.instruction_r: fb 50 89 2c 24 89 04 24 52 ba 00 fd ba 7b 81 e2 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x212284 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2171524 exception.address: 0x1572284	success
1619826885.633307 __exception__	stacktrace: registers.esp: 3865012 registers.edi: 20978226 registers.eax: 26153 registers.ebp: 4010827796 registers.edx: 246255134 registers.ebx: 22493548 registers.esi: 0 registers.ecx: 408096696 exception.instruction_r: fb e9 7e 01 00 00 53 89 0c 24 b9 00 00 00 00 89 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x213b36 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2177846 exception.address: 0x1573b36	success
1619826885.633307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 20978226 registers.eax: 26153 registers.ebp: 4010827796 registers.edx: 246255134 registers.ebx: 22519701 registers.esi: 0 registers.ecx: 408096696 exception.instruction_r: fb 52 c7 04 24 2a 4f 76 10 e9 00 00 00 00 89 04 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x21436b exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2179947 exception.address: 0x157436b	success
1619826885.633307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 1549541099 registers.eax: 26153 registers.ebp: 4010827796 registers.edx: 246255134 registers.ebx: 22496133 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb bb 61 ee 97 1f 51 c7 04 24 cc 99 2e 13 89 2c exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x213f9c exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2178972 exception.address: 0x1573f9c	success
1619826885.633307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 4206090 registers.eax: 29887 registers.ebp: 4010827796 registers.edx: 22553389 registers.ebx: 22496159 registers.esi: 22497937 registers.ecx: 22496159 exception.instruction_r: fb 31 f6 e9 88 fc ff ff 81 6c 24 08 de 50 9e 5f exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x21b43c exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2208828 exception.address: 0x157b43c	success
1619826885.649307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 1114345 registers.eax: 29887 registers.ebp: 4010827796 registers.edx: 22553389 registers.ebx: 22496159 registers.esi: 4294940156 registers.ecx: 22496159 exception.instruction_r: fb 55 68 d7 41 0c 79 e9 1c 01 00 00 89 f5 e9 a9 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x21b1a4 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2208164 exception.address: 0x157b1a4	success
1619826885.649307 __exception__	stacktrace: registers.esp: 3865008 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4010827796 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 22530413 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 56 50 89 2c 24 54 8f 04 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x21cae8 exception.instruction: in eax, dx exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2214632 exception.address: 0x157cae8	success
1619826885.649307 __exception__	stacktrace: registers.esp: 3865008 registers.edi: 1114345 registers.eax: 1 registers.ebp: 4010827796 registers.edx: 22104 registers.ebx: 0 registers.esi: 22530413 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x21ef06 exception.address: 0x157ef06 exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc000001d exception.offset: 2223878	success
1619826885.649307 __exception__	stacktrace: registers.esp: 3865008 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4010827796 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 22530413 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 f3 2c 2f 12 01 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x21f8b3 exception.instruction: in eax, dx exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2226355 exception.address: 0x157f8b3	success
1619826885.852307 __exception__	stacktrace: registers.esp: 3865012 registers.edi: 1114345 registers.eax: 26566 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 2487015 registers.esi: 10 registers.ecx: 22566016 exception.instruction_r: fb 51 89 e1 e9 93 04 00 00 c7 04 24 23 7a 55 74 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x225b70 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2251632 exception.address: 0x1585b70	success
1619826885.852307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 0 registers.eax: 26566 registers.ebp: 4010827796 registers.edx: 1342204512 registers.ebx: 2487015 registers.esi: 10 registers.ecx: 22569118 exception.instruction_r: fb 68 b9 c7 30 13 89 1c 24 e9 b7 07 00 00 51 b9 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x2256fc exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2250492 exception.address: 0x15856fc	success
1619826885.852307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 0 registers.eax: 3864976 registers.ebp: 4010827796 registers.edx: 16708 registers.ebx: 22570081 registers.esi: 1502280213 registers.ecx: 22569284 exception.instruction_r: cd 01 eb 00 6a 00 51 e8 03 00 00 00 20 59 c3 59 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x2262fe exception.instruction: int 1 exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000005 exception.offset: 2253566 exception.address: 0x15862fe	success
1619826886.024307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 20933826 registers.eax: 22631796 registers.ebp: 4010827796 registers.edx: 6 registers.ebx: 1026537 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb 55 e9 d7 fa ff ff 89 cb ff 34 24 59 81 c4 04 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x23538b exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2315147 exception.address: 0x159538b	success
1619826886.024307 __exception__	stacktrace: registers.esp: 3865012 registers.edi: 22636786 registers.eax: 28007 registers.ebp: 4010827796 registers.edx: 6 registers.ebx: 1449288146 registers.esi: 0 registers.ecx: 6 exception.instruction_r: fb 68 e2 57 88 5e 89 34 24 e9 aa 01 00 00 81 c3 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x236fdc exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2322396 exception.address: 0x1596fdc	success
1619826886.024307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 22664793 registers.eax: 28007 registers.ebp: 4010827796 registers.edx: 6 registers.ebx: 1449288146 registers.esi: 0 registers.ecx: 6 exception.instruction_r: fb 56 89 e6 81 c6 04 00 00 00 81 ee 04 00 00 00 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x23702a exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2322474 exception.address: 0x159702a	success
1619826886.024307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 22639633 registers.eax: 28007 registers.ebp: 4010827796 registers.edx: 604292951 registers.ebx: 1449288146 registers.esi: 0 registers.ecx: 6 exception.instruction_r: fb e9 ee fd ff ff 89 1c 24 89 34 24 89 0c 24 e9 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x237066 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2322534 exception.address: 0x1597066	success
1619826886.024307 __exception__	stacktrace: registers.esp: 3865012 registers.edi: 22639633 registers.eax: 30240 registers.ebp: 4010827796 registers.edx: 1359280788 registers.ebx: 1449288146 registers.esi: 22640017 registers.ecx: 6 exception.instruction_r: fb 81 ee e0 5e f3 1c 50 b8 9c d7 9f 6e 29 c6 ff exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x2375af exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2323887 exception.address: 0x15975af	success
1619826886.024307 __exception__	stacktrace: registers.esp: 3865016 registers.edi: 22639633 registers.eax: 30240 registers.ebp: 4010827796 registers.edx: 262633 registers.ebx: 1449288146 registers.esi: 22670257 registers.ecx: 4294939956 exception.instruction_r: fb e9 48 05 00 00 5e 81 ec 04 00 00 00 89 3c 24 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x23782c exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2324524 exception.address: 0x159782c	success
1619826886.024307 __exception__	stacktrace: registers.esp: 3865008 registers.edi: 22639633 registers.eax: 28856 registers.ebp: 4010827796 registers.edx: 262633 registers.ebx: 22690781 registers.esi: 22670257 registers.ecx: 1240693640 exception.instruction_r: fb 29 c9 ff 34 19 ff 34 24 e9 09 00 00 00 89 ce exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x23d482 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2348162 exception.address: 0x159d482	success
1619826886.024307 __exception__	stacktrace: registers.esp: 3865008 registers.edi: 770265171 registers.eax: 28856 registers.ebp: 4010827796 registers.edx: 262633 registers.ebx: 22690781 registers.esi: 22670257 registers.ecx: 4294941004 exception.instruction_r: fb 57 e9 fe fb ff ff 83 eb 04 87 1c 24 e9 91 04 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x23cf4e exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2346830 exception.address: 0x159cf4e	success
1619826886.055307 __exception__	stacktrace: registers.esp: 3865004 registers.edi: 22717310 registers.eax: 27465 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 3237150720 registers.esi: 3707 registers.ecx: 3237191568 exception.instruction_r: fb e9 14 00 00 00 01 d5 81 c5 7d 68 f6 3b 5a 83 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x24ad58 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2403672 exception.address: 0x15aad58	success
1619826886.055307 __exception__	stacktrace: registers.esp: 3865008 registers.edi: 22720487 registers.eax: 27465 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 1442867808 registers.esi: 3707 registers.ecx: 0 exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 68 29 91 cd 67 89 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x24a83c exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2402364 exception.address: 0x15aa83c	success
1619826886.071307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 0 registers.eax: 22821035 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 22786743 registers.esi: 22786775 registers.ecx: 3237150720 exception.instruction_r: fb 51 e9 9c ff ff ff ba 0e cd df 6d f7 d2 81 f2 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x25cadf exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2476767 exception.address: 0x15bcadf	success
1619826886.071307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 2633577064 registers.eax: 22821035 registers.ebp: 4010827796 registers.edx: 4294940760 registers.ebx: 22786743 registers.esi: 22786775 registers.ecx: 3237150720 exception.instruction_r: fb 55 e9 5a 00 00 00 5c e9 64 09 00 00 01 fa 5f exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x25c514 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2475284 exception.address: 0x15bc514	success
1619826886.071307 __exception__	stacktrace: registers.esp: 3864972 registers.edi: 2633577064 registers.eax: 22794909 registers.ebp: 4010827796 registers.edx: 4294940760 registers.ebx: 2126441138 registers.esi: 22786775 registers.ecx: 851480745 exception.instruction_r: fb 83 ec 04 89 1c 24 89 34 24 51 53 bb c6 53 f7 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x25d886 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2480262 exception.address: 0x15bd886	success
1619826886.087307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 1375758944 registers.eax: 22798220 registers.ebp: 4010827796 registers.edx: 4294940760 registers.ebx: 0 registers.esi: 22786775 registers.ecx: 851480745 exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 b8 e2 e5 a7 69 91 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x25de7a exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2481786 exception.address: 0x15bde7a	success
1619826886.087307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 1375758944 registers.eax: 26690 registers.ebp: 4010827796 registers.edx: 22826918 registers.ebx: 773347774 registers.esi: 22786775 registers.ecx: 851480745 exception.instruction_r: fb e9 ea f8 ff ff 81 44 24 08 02 96 5b 1e e9 3d exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x25ef2e exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2486062 exception.address: 0x15bef2e	success
1619826886.087307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 1375758944 registers.eax: 26690 registers.ebp: 4010827796 registers.edx: 22803506 registers.ebx: 0 registers.esi: 22786775 registers.ecx: 387424 exception.instruction_r: fb e9 31 00 00 00 89 2c 24 bd e2 4d 79 3f 09 e9 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x25f1b5 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2486709 exception.address: 0x15bf1b5	success
1619826886.133307 __exception__	stacktrace: registers.esp: 3864972 registers.edi: 22804041 registers.eax: 27365 registers.ebp: 4010827796 registers.edx: 2147462859 registers.ebx: 65802 registers.esi: 22804059 registers.ecx: 22851828 exception.instruction_r: fb 68 6e 07 03 6e e9 c1 fc ff ff 89 cd 89 ea e9 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x26b470 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2536560 exception.address: 0x15cb470	success
1619826886.133307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 22804041 registers.eax: 27365 registers.ebp: 4010827796 registers.edx: 2147462859 registers.ebx: 65802 registers.esi: 22804059 registers.ecx: 22879193 exception.instruction_r: fb 53 c7 04 24 67 10 9d 3c c1 24 24 06 e9 15 fd exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x26b98a exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2537866 exception.address: 0x15cb98a	success
1619826886.133307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 22804041 registers.eax: 27365 registers.ebp: 4010827796 registers.edx: 2147462859 registers.ebx: 0 registers.esi: 411369 registers.ecx: 22854421 exception.instruction_r: fb e9 3b 00 00 00 41 e9 5a 01 00 00 4a 52 87 0c exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x26b37f exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2536319 exception.address: 0x15cb37f	success
1619826887.149307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 0 registers.eax: 28201 registers.ebp: 4010827796 registers.edx: 22867752 registers.ebx: 24811 registers.esi: 411369 registers.ecx: 869 exception.instruction_r: fb 57 89 e7 51 57 51 b9 fe 2f e7 56 49 81 e9 ca exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x26e4d9 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2548953 exception.address: 0x15ce4d9	success
1619826887.149307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 22876015 registers.eax: 30524 registers.ebp: 4010827796 registers.edx: 22876015 registers.ebx: 24812 registers.esi: 22875730 registers.ecx: 22907135 exception.instruction_r: fb 53 89 04 24 50 89 3c 24 89 24 24 83 04 24 04 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x2717aa exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2561962 exception.address: 0x15d17aa	success
1619826887.149307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 22876015 registers.eax: 4294939820 registers.ebp: 4010827796 registers.edx: 22876015 registers.ebx: 33001 registers.esi: 22875730 registers.ecx: 22907135 exception.instruction_r: fb 50 e9 c4 f9 ff ff 81 f6 49 bd dd 79 31 f5 5e exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x271a33 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2562611 exception.address: 0x15d1a33	success
1619826887.149307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 10616832 registers.eax: 27241 registers.ebp: 4010827796 registers.edx: 22910024 registers.ebx: 0 registers.esi: 22804946 registers.ecx: 1292 exception.instruction_r: fb 31 c0 ff 34 02 50 b8 f8 57 fe 6e 29 44 24 04 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x272a09 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2566665 exception.address: 0x15d2a09	success
1619826887.149307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 10616832 registers.eax: 4294942412 registers.ebp: 4010827796 registers.edx: 22910024 registers.ebx: 157417 registers.esi: 22804946 registers.ecx: 1292 exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 c7 04 24 fd 7b f9 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x272fec exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2568172 exception.address: 0x15d2fec	success
1619826887.165307 __exception__	stacktrace: registers.esp: 3864972 registers.edi: 10616832 registers.eax: 29551 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 201834 registers.esi: 89958538 registers.ecx: 22929662 exception.instruction_r: fb 81 e9 00 c9 5c 5d 83 ec 04 89 3c 24 68 9a 69 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x27e248 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2613832 exception.address: 0x15de248	success
1619826887.165307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 10616832 registers.eax: 29551 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 201834 registers.esi: 89958538 registers.ecx: 22959213 exception.instruction_r: fb e9 a0 00 00 00 53 c7 04 24 d1 37 d9 5c 89 04 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x27e10f exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2613519 exception.address: 0x15de10f	success
1619826887.165307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 4294940196 registers.eax: 29551 registers.ebp: 4010827796 registers.edx: 322689 registers.ebx: 201834 registers.esi: 89958538 registers.ecx: 22959213 exception.instruction_r: fb 83 ec 04 89 04 24 89 1c 24 50 68 d2 37 d4 3b exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x27e9fd exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2615805 exception.address: 0x15de9fd	success
1619826887.180307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 22951486 registers.eax: 32369 registers.ebp: 4010827796 registers.edx: 0 registers.ebx: 2144 registers.esi: 2298801283 registers.ecx: 22995759 exception.instruction_r: fb 56 e9 26 00 00 00 59 81 f1 80 a3 bf 6b 5a 81 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x28df8c exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2678668 exception.address: 0x15edf8c	success
1619826887.196307 __exception__	stacktrace: registers.esp: 3864972 registers.edi: 23027997 registers.eax: 32790 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 2002452454 registers.esi: 2298801283 registers.ecx: 23039572 exception.instruction_r: fb 55 bd b2 a9 ae 43 81 ed 44 33 dd 5d 4d 81 e5 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x299030 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2723888 exception.address: 0x15f9030	success
1619826887.196307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 23027997 registers.eax: 32790 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 2002452454 registers.esi: 2298801283 registers.ecx: 23072362 exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 b9 ca 28 fd 1f 89 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x299104 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2724100 exception.address: 0x15f9104	success
1619826887.196307 __exception__	stacktrace: registers.esp: 3864976 registers.edi: 23027997 registers.eax: 32790 registers.ebp: 4010827796 registers.edx: 2170115153 registers.ebx: 2002452454 registers.esi: 4294937464 registers.ecx: 23072362 exception.instruction_r: fb b9 b2 aa ce 2f 81 e9 84 4d fd 7a c1 e9 06 81 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x299927 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2726183 exception.address: 0x15f9927	success
1619826887.196307 __exception__	stacktrace: registers.esp: 3864972 registers.edi: 23027997 registers.eax: 23070234 registers.ebp: 4010827796 registers.edx: 2130566132 registers.ebx: 4281858503 registers.esi: 4020229461 registers.ecx: 3237150720 exception.instruction_r: fb 05 10 b1 bb 77 51 e9 0c 02 00 00 31 fd e9 c4 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x2a0c84 exception.instruction: sti exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2755716 exception.address: 0x1600c84	success

Allocates read-write-execute memory (usually to unpack itself) (50 out of 641 个事件)

Time & API	Arguments	Status	Return
1619826886.133307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75251000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75f61000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76541000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e2000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b1000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77860000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75251000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x752512d0	failed	3221225477
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x754a1000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75900000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76541000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x765417d0	failed	3221225477
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x765e1000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f19a8	failed	3221225477
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e2000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e224c	failed	3221225477
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a0000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b1000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b1014	failed	3221225477
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77860000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77860070	failed	3221225477
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75951000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75c80000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1000	success	0
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1394	failed	3221225477
1619826886.149307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e1000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75251000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75251188	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x754a1000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x754a1350	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75f61000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75f610e4	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x76541000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x7654180c	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x765e1000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x765e10ec	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a0000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a035c	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b1000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x776b11c8	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75951000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75951198	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75c80000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75c80270	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f1000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x766f13a8	failed	3221225477
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e1000	success	0
1619826886.165307 NtProtectVirtualMemory	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x768e124c	failed	3221225477

A process attempted to delay the analysis task. (1 个事件)

description

a7c6d51e2d25248a53fbb968015c2fa9.exe tried to sleep 665 seconds, actually delayed analysis time by 665 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.974962133955598

section

{'size_of_data': '0x00041000', 'virtual_address': '0x00002000', 'entropy': 7.974962133955598, 'name': ' \\x00 ', 'virtual_size': '0x00072000'}

description

A section with a high entropy has been found

entropy

7.414253098760752

section

{'size_of_data': '0x0001e200', 'virtual_address': '0x00074000', 'entropy': 7.414253098760752, 'name': '.rsrc', 'virtual_size': '0x0001e018'}

description

A section with a high entropy has been found

Expresses interest in specific running processes (1 个事件)

process

system

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 221 个事件)

Time & API	Arguments	Status
1619826887.180307 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826887.180307 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826887.180307 FindWindowA	class_name: pediy06 window_name:	failed
1619826887.196307 FindWindowA	class_name: FilemonClass window_name:	failed
1619826887.196307 FindWindowA	class_name: FilemonClass window_name:	failed
1619826887.196307 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1619826887.196307 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619826887.196307 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1619826887.196307 FindWindowA	class_name: RegmonClass window_name:	failed
1619826887.196307 FindWindowA	class_name: RegmonClass window_name:	failed
1619826887.196307 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1619826887.196307 FindWindowA	class_name: 18467-41 window_name:	failed
1619826887.290307 FindWindowA	class_name: FilemonClass window_name:	failed
1619826887.290307 FindWindowA	class_name: FilemonClass window_name:	failed
1619826887.290307 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1619826887.290307 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619826887.290307 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1619826888.087307 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826888.087307 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826888.087307 FindWindowA	class_name: pediy06 window_name:	failed
1619826890.102307 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826890.102307 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826890.102307 FindWindowA	class_name: pediy06 window_name:	failed
1619826891.321307 FindWindowA	class_name: Regmonclass window_name:	failed
1619826891.321307 FindWindowA	class_name: Regmonclass window_name:	failed
1619826891.633307 FindWindowA	class_name: 18467-41 window_name:	failed
1619826891.946307 FindWindowA	class_name: Filemonclass window_name:	failed
1619826891.946307 FindWindowA	class_name: Filemonclass window_name:	failed
1619826891.946307 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619826892.118307 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826892.118307 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826892.118307 FindWindowA	class_name: pediy06 window_name:	failed
1619826894.133307 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826894.133307 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826894.133307 FindWindowA	class_name: pediy06 window_name:	failed
1619826895.946307 FindWindowA	class_name: Regmonclass window_name:	failed
1619826895.946307 FindWindowA	class_name: Regmonclass window_name:	failed
1619826896.149307 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826896.149307 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826896.149307 FindWindowA	class_name: pediy06 window_name:	failed
1619826896.258307 FindWindowA	class_name: 18467-41 window_name:	failed
1619826896.571307 FindWindowA	class_name: Filemonclass window_name:	failed
1619826896.571307 FindWindowA	class_name: Filemonclass window_name:	failed
1619826896.571307 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619826898.165307 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826898.165307 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826898.165307 FindWindowA	class_name: pediy06 window_name:	failed
1619826900.180307 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826900.180307 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826900.180307 FindWindowA	class_name: pediy06 window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826885.649307 __exception__	stacktrace: registers.esp: 3865008 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 4010827796 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 22530413 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 56 50 89 2c 24 54 8f 04 exception.symbol: a7c6d51e2d25248a53fbb968015c2fa9+0x21cae8 exception.instruction: in eax, dx exception.module: a7c6d51e2d25248a53fbb968015c2fa9.exe exception.exception_code: 0xc0000096 exception.offset: 2214632 exception.address: 0x157cae8	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

MicroWorld-eScan	Gen:Variant.Strictor.245393
FireEye	Generic.mg.a7c6d51e2d25248a
Cylance	Unsafe
Zillya	Trojan.Quasar.Win32.3524
Sangfor	Malware
K7AntiVirus	Trojan ( 0055bc761 )
K7GW	Trojan ( 0055bc761 )
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/Trojan.IDRC-9040
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HFL
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan-Spy.MSIL.Quasar.jnv
Alibaba	TrojanSpy:MSIL/Quasar.00cab21a
NANO-Antivirus	Trojan.Win32.Strictor.hlsmor
Paloalto	generic.ml
AegisLab	Riskware.Win32.Strictor.1!c
Tencent	Msil.Trojan-spy.Quasar.Lorm
Ad-Aware	Gen:Variant.Strictor.245393
Comodo	Malware@#zpgxyqqa705n
F-Secure	Trojan.TR/Spy.Quasar.ctchl
DrWeb	Trojan.Packed.193
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WF420
McAfee-GW-Edition	BehavesLike.Win32.Kudj.wh
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Jiangmin	TrojanSpy.MSIL.ardy
eGambit	Unsafe.AI_Score_92%
Avira	TR/Spy.Quasar.ctchl
Antiy-AVL	Trojan[Spy]/MSIL.Quasar
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Trojan.Heur!.030100A1
Arcabit	Trojan.Strictor.D3BE91
ZoneAlarm	Trojan-Spy.MSIL.Quasar.jnv
Microsoft	Trojan:Win32/Occamy.C75
Cynet	Malicious (score: 100)
McAfee	Artemis!A7C6D51E2D25
MAX	malware (ai score=87)
VBA32	TScope.Malware-Cryptor.SB
TrendMicro-HouseCall	TROJ_GEN.R002C0WF420
Rising	Trojan.Generic@ML.99 (RDML:zZ6fDavuEPQzm/gkR14Tuw)
Yandex	Trojan.Themida!AW31JxpwPlk
Ikarus	Trojan.Win32.Themida
MaxSecure	Trojan.Malware.74019079.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Cybereason	malicious.e2d252
Panda	Trj/CI.A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-02 09:45:28

Imports

Library kernel32.dll:

• 0x494033 lstrcpy

Library comctl32.dll:

• 0x49403b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	50537	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.