SmartHawk

7.4

高危

63 个模型检测该样本为恶意！

重新分析

下载样本

8edd6dd53784f816039a5f935567cb551d0743a85713116670d2caae1d9ebd86

ab56308b5b2e33d12c34f13b0d8b1667.exe

分析耗时

75s

最近分析

文件大小

945.5KB

静态报毒动态报毒 100% 7Y2AAQIRKNMI AGENERIC AI SCORE=100 AIDETECTVM CLASSIC COC@52VN2U CONFIDENCE CXHRX EAKHY ELDORADO GENERICKD GENETIC HA190043 HIGH CONFIDENCE KCLOUD KVMH008 L6P7 LNNY MALICIOUS PE MALWARE1 QUHM9DRKW R + MAL REMTASU SCORE STATIC AI STRICTOR THEMIDA UNSAFE UVPM VIRTUMOD XRAT XTRAT XTREME XTREMERAT ZEXAF ZUSY 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Packed-ZO!AB56308B5B2E	20201211	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20201210	21.1.5827.0
Alibaba	Backdoor:Win32/Xtrat.a8ad89a8	20190527	0.3.0.5
Tencent	Win32.Trojan.Generic.Lnny	20201211	1.0.0.1
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)	20201211	2017.9.26.565

Checks if process is being debugged by a debugger (31 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826881.193588 IsDebuggerPresent		failed	0	0
1619826882.771588 IsDebuggerPresent		failed	0	0
1619826884.787588 IsDebuggerPresent		failed	0	0
1619826886.803588 IsDebuggerPresent		failed	0	0
1619826888.818588 IsDebuggerPresent		failed	0	0
1619826890.834588 IsDebuggerPresent		failed	0	0
1619826892.849588 IsDebuggerPresent		failed	0	0
1619826894.865588 IsDebuggerPresent		failed	0	0
1619826896.881588 IsDebuggerPresent		failed	0	0
1619826898.896588 IsDebuggerPresent		failed	0	0
1619826900.912588 IsDebuggerPresent		failed	0	0
1619826902.928588 IsDebuggerPresent		failed	0	0
1619826904.943588 IsDebuggerPresent		failed	0	0
1619826906.959588 IsDebuggerPresent		failed	0	0
1619826908.974588 IsDebuggerPresent		failed	0	0
1619826910.990588 IsDebuggerPresent		failed	0	0
1619826913.006588 IsDebuggerPresent		failed	0	0
1619826915.021588 IsDebuggerPresent		failed	0	0
1619826917.037588 IsDebuggerPresent		failed	0	0
1619826919.053588 IsDebuggerPresent		failed	0	0
1619826921.068588 IsDebuggerPresent		failed	0	0
1619826923.084588 IsDebuggerPresent		failed	0	0
1619826925.099588 IsDebuggerPresent		failed	0	0
1619826927.115588 IsDebuggerPresent		failed	0	0
1619826929.131588 IsDebuggerPresent		failed	0	0
1619826931.146588 IsDebuggerPresent		failed	0	0
1619826933.162588 IsDebuggerPresent		failed	0	0
1619826935.178588 IsDebuggerPresent		failed	0	0
1619826937.193588 IsDebuggerPresent		failed	0	0
1619826939.209588 IsDebuggerPresent		failed	0	0
1619826941.224588 IsDebuggerPresent		failed	0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	nhgxrnnn
section	zgwhklkc

One or more processes crashed (50 out of 119 个事件)

Time & API	Arguments	Status
1619826880.224588 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1638276 registers.edi: 0 registers.eax: 1 registers.ebp: 1638292 registers.edx: 6262784 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x12e0c9 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 1237193 exception.address: 0x52e0c9	success
1619826880.224588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4445554 registers.eax: 25691 registers.ebp: 4117737492 registers.edx: 1910749778 registers.ebx: 0 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb e9 d7 fe ff ff 81 c5 04 00 00 00 81 ed 04 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x3ce6b exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 249451 exception.address: 0x43ce6b	success
1619826880.224588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4445554 registers.eax: 26092 registers.ebp: 4117737492 registers.edx: 4472104 registers.ebx: 0 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb 51 e9 5e ff ff ff 56 55 bd b4 03 6b 1e 89 ee exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x3d840 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 251968 exception.address: 0x43d840	success
1619826880.224588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4445554 registers.eax: 223465 registers.ebp: 4117737492 registers.edx: 4448476 registers.ebx: 0 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb 83 ec 04 e9 42 fd ff ff 8b 04 24 81 c4 04 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x3dd35 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 253237 exception.address: 0x43dd35	success
1619826880.224588 __exception__	stacktrace: registers.esp: 1638240 registers.edi: 4445554 registers.eax: 4708907 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 12583104 registers.esi: 3 registers.ecx: 192 exception.instruction_r: fb 53 bb e3 50 b2 59 01 d8 5b 55 e9 c7 fc ff ff exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x7e03d exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 516157 exception.address: 0x47e03d	success
1619826880.240588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4445554 registers.eax: 4712227 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 3 registers.ecx: 432617 exception.instruction_r: fb 68 71 36 00 00 89 3c 24 68 cb 6f 2c 10 e9 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x7dc84 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 515204 exception.address: 0x47dc84	success
1619826880.240588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 199913 registers.eax: 26616 registers.ebp: 4117737492 registers.edx: 4745815 registers.ebx: 4714675 registers.esi: 1164460653 registers.ecx: 4294943196 exception.instruction_r: fb e9 95 02 00 00 89 1c 24 54 5b 81 c3 04 00 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x8058b exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 525707 exception.address: 0x48058b	success
1619826880.240588 __exception__	stacktrace: registers.esp: 1638240 registers.edi: 2502154 registers.eax: 31313 registers.ebp: 4117737492 registers.edx: 4724160 registers.ebx: 4714675 registers.esi: 1164460653 registers.ecx: 0 exception.instruction_r: fb 57 bf 2b 2d ad 5a e9 c3 01 00 00 ba 00 00 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x818fb exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 530683 exception.address: 0x4818fb	success
1619826880.240588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 2502154 registers.eax: 31313 registers.ebp: 4117737492 registers.edx: 4755473 registers.ebx: 4714675 registers.esi: 1164460653 registers.ecx: 0 exception.instruction_r: fb 52 50 68 cc 4b 03 0f 58 25 14 72 b5 1f 25 90 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x81d97 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 531863 exception.address: 0x481d97	success
1619826880.256588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 2502154 registers.eax: 134889 registers.ebp: 4117737492 registers.edx: 4755473 registers.ebx: 4294939020 registers.esi: 1164460653 registers.ecx: 0 exception.instruction_r: fb e9 ab fb ff ff 89 e0 e9 b5 f8 ff ff 81 c4 04 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x82118 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 532760 exception.address: 0x482118	success
1619826880.271588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 2502154 registers.eax: 1447909480 registers.ebp: 4117737492 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 4748130 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 ee 0f 00 00 52 ba 01 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x8793f exception.instruction: in eax, dx exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 555327 exception.address: 0x48793f	success
1619826880.271588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 2502154 registers.eax: 1 registers.ebp: 4117737492 registers.edx: 22104 registers.ebx: 0 registers.esi: 4748130 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x8b189 exception.address: 0x48b189 exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc000001d exception.offset: 569737	success
1619826880.271588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 2502154 registers.eax: 1447909480 registers.ebp: 4117737492 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 4748130 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 1d 31 d4 0a 01 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x87c7b exception.instruction: in eax, dx exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 556155 exception.address: 0x487c7b	success
1619826880.459588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4294939076 registers.eax: 31687 registers.ebp: 4117737492 registers.edx: 233396064 registers.ebx: 4807049 registers.esi: 10 registers.ecx: 3284008960 exception.instruction_r: fb 50 89 2c 24 e9 01 f9 ff ff 81 c7 04 00 00 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x8e57a exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 583034 exception.address: 0x48e57a	success
1619826880.459588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 1638204 registers.ebp: 4117737492 registers.edx: 0 registers.ebx: 4779724 registers.esi: 4779063 registers.ecx: 4779063 exception.instruction_r: cd 01 eb 00 6a 00 57 e8 03 00 00 00 20 5f c3 5f exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x8ed4f exception.instruction: int 1 exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000005 exception.offset: 585039 exception.address: 0x48ed4f	success
1619826880.678588 __exception__	stacktrace: registers.esp: 1638240 registers.edi: 4439822 registers.eax: 26899 registers.ebp: 4117737492 registers.edx: 6 registers.ebx: 67287625 registers.esi: 4820453 registers.ecx: 0 exception.instruction_r: fb e9 a5 09 00 00 29 f0 e9 51 ff ff ff 31 34 24 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x98ea6 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 626342 exception.address: 0x498ea6	success
1619826880.678588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4439822 registers.eax: 26899 registers.ebp: 4117737492 registers.edx: 6 registers.ebx: 67287625 registers.esi: 4847352 registers.ecx: 0 exception.instruction_r: fb 57 50 b8 97 21 6f 5e c1 e0 03 35 1f 7f 3d a9 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9966b exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 628331 exception.address: 0x49966b	success
1619826880.693588 __exception__	stacktrace: registers.esp: 1638244 registers.edi: 4439822 registers.eax: 26899 registers.ebp: 4117737492 registers.edx: 539625 registers.ebx: 67287625 registers.esi: 4823220 registers.ecx: 0 exception.instruction_r: fb 68 a2 23 00 00 e9 f1 f9 ff ff 81 f7 49 04 1d exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9957f exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 628095 exception.address: 0x49957f	success
1619826880.693588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4439822 registers.eax: 31495 registers.ebp: 4117737492 registers.edx: 4871048 registers.ebx: 67287625 registers.esi: 4823220 registers.ecx: 539625 exception.instruction_r: fb 68 00 00 00 00 ff 34 24 ff 34 24 e9 50 00 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9e312 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 647954 exception.address: 0x49e312	success
1619826880.693588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4122962 registers.eax: 31495 registers.ebp: 4117737492 registers.edx: 4871048 registers.ebx: 4294938776 registers.esi: 4823220 registers.ecx: 539625 exception.instruction_r: fb 68 cb 66 00 00 e9 6a fd ff ff be 04 00 00 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9e10e exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 647438 exception.address: 0x49e10e	success
1619826880.693588 __exception__	stacktrace: registers.esp: 1638232 registers.edi: 4122962 registers.eax: 28438 registers.ebp: 4117737492 registers.edx: 4842771 registers.ebx: 4294938776 registers.esi: 4823220 registers.ecx: 539625 exception.instruction_r: fb 50 51 b9 e0 70 6e 4c 89 c8 59 c1 e0 02 55 50 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9ed62 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 650594 exception.address: 0x49ed62	success
1619826880.693588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 4122962 registers.eax: 28438 registers.ebp: 4117737492 registers.edx: 4871209 registers.ebx: 4294938776 registers.esi: 4823220 registers.ecx: 539625 exception.instruction_r: fb 68 d7 18 00 00 ff 34 24 ff 34 24 8b 0c 24 51 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9e752 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 649042 exception.address: 0x49e752	success
1619826880.709588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 82608469 registers.eax: 28438 registers.ebp: 4117737492 registers.edx: 4845773 registers.ebx: 4294938776 registers.esi: 4823220 registers.ecx: 0 exception.instruction_r: fb 57 bf 97 50 77 57 55 68 57 78 88 40 8b 2c 24 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9edd7 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 650711 exception.address: 0x49edd7	success
1619826880.709588 __exception__	stacktrace: registers.esp: 1638232 registers.edi: 82608469 registers.eax: 4846251 registers.ebp: 4117737492 registers.edx: 4845773 registers.ebx: 123136138 registers.esi: 4823220 registers.ecx: 2011404426 exception.instruction_r: fb 2d 96 0d 93 13 05 3c 45 c3 19 2d 61 1a 03 49 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9f3be exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 652222 exception.address: 0x49f3be	success
1619826880.709588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 0 registers.eax: 4849060 registers.ebp: 4117737492 registers.edx: 4845773 registers.ebx: 123136138 registers.esi: 66281 registers.ecx: 2011404426 exception.instruction_r: fb 50 e9 a3 fc ff ff 81 c6 04 00 00 00 e9 76 fd exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x9f9b4 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 653748 exception.address: 0x49f9b4	success
1619826880.756588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 1166475412 registers.eax: 30428 registers.ebp: 4117737492 registers.edx: 1723711319 registers.ebx: 4924131 registers.esi: 45225 registers.ecx: 3284008960 exception.instruction_r: fb 31 d2 e9 dd fd ff ff 5a 5a 68 9d 7d 00 00 89 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xab357 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 701271 exception.address: 0x4ab357	success
1619826880.756588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 1166475412 registers.eax: 30428 registers.ebp: 4117737492 registers.edx: 4294939356 registers.ebx: 4924131 registers.esi: 45225 registers.ecx: 116969 exception.instruction_r: fb 68 72 4a 92 33 ff 34 24 e9 ad 03 00 00 55 52 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xaad61 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 699745 exception.address: 0x4aad61	success
1619826880.771588 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 4970631 registers.eax: 29209 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 4096 registers.esi: 4974378 registers.ecx: 2135536034 exception.instruction_r: fb 81 ef ec 0f 12 56 81 ec 04 00 00 00 89 1c 24 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xbe31f exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 779039 exception.address: 0x4be31f	success
1619826880.771588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4999840 registers.eax: 29209 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 4096 registers.esi: 4974378 registers.ecx: 2135536034 exception.instruction_r: fb 68 1a 5e 00 00 89 14 24 e9 4e 03 00 00 5d e9 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xbdb19 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 776985 exception.address: 0x4bdb19	success
1619826880.771588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4973944 registers.eax: 2041757270 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 4974378 registers.ecx: 2135536034 exception.instruction_r: fb 50 52 ba 46 61 8c 63 81 f2 a2 02 1c 7e 81 ca exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xbe0d6 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 778454 exception.address: 0x4be0d6	success
1619826880.771588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4973944 registers.eax: 32055 registers.ebp: 4117737492 registers.edx: 2033719911 registers.ebx: 0 registers.esi: 5006283 registers.ecx: 322094082 exception.instruction_r: fb 29 c9 ff 34 31 e9 60 00 00 00 bf 14 1a f7 66 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xbef2a exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 782122 exception.address: 0x4bef2a	success
1619826880.771588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4973944 registers.eax: 1133481357 registers.ebp: 4117737492 registers.edx: 2033719911 registers.ebx: 0 registers.esi: 5006283 registers.ecx: 4294938244 exception.instruction_r: fb 50 89 e0 56 e9 2e 01 00 00 51 b9 ab 03 af 38 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xbe746 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 780102 exception.address: 0x4be746	success
1619826880.771588 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 4979784 registers.eax: 25721 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 35328 registers.esi: 5006283 registers.ecx: 2005871740 exception.instruction_r: fb 53 55 bd 51 72 50 0d bb 1a bd 0a 4d 29 eb 5d exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xbfe47 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 785991 exception.address: 0x4bfe47	success
1619826880.787588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5005505 registers.eax: 25721 registers.ebp: 4117737492 registers.edx: 2130566132 registers.ebx: 4294943980 registers.esi: 5006283 registers.ecx: 1452182925 exception.instruction_r: fb e9 1b f8 ff ff 89 3c 24 89 14 24 89 e2 81 c2 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc050a exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 787722 exception.address: 0x4c050a	success
1619826880.787588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 4996279 registers.ebp: 4117737492 registers.edx: 2130378752 registers.ebx: 65802 registers.esi: 6650667 registers.ecx: 856006029 exception.instruction_r: fb 68 79 52 00 00 e9 96 fd ff ff 8b 14 24 51 54 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc3ab9 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 801465 exception.address: 0x4c3ab9	success
1619826880.787588 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 0 registers.eax: 30472 registers.ebp: 4117737492 registers.edx: 2130378752 registers.ebx: 4449049 registers.esi: 5002169 registers.ecx: 856006029 exception.instruction_r: fb 81 ee 26 3c d4 76 52 ba b1 67 53 60 29 d6 8b exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc5acc exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 809676 exception.address: 0x4c5acc	success
1619826880.787588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 30472 registers.ebp: 4117737492 registers.edx: 2130378752 registers.ebx: 4449049 registers.esi: 5032641 registers.ecx: 856006029 exception.instruction_r: fb 31 c9 ff 34 31 8b 1c 24 68 88 41 00 00 89 34 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc5c5e exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 810078 exception.address: 0x4c5c5e	success
1619826880.787588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 30472 registers.ebp: 4117737492 registers.edx: 2130378752 registers.ebx: 71913 registers.esi: 5032641 registers.ecx: 4294939440 exception.instruction_r: fb 68 c4 d2 97 24 ff 34 24 5b 53 e9 1d 03 00 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc586b exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 809067 exception.address: 0x4c586b	success
1619826880.834588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5041433 registers.eax: 29096 registers.ebp: 4117737492 registers.edx: 4294940772 registers.ebx: 18938888 registers.esi: 3508629276 registers.ecx: 7849576 exception.instruction_r: fb e9 d8 fd ff ff 55 bd 0b 08 01 00 29 ef 5d 89 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc8146 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 819526 exception.address: 0x4c8146	success
1619826880.834588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5041433 registers.eax: 30662 registers.ebp: 4117737492 registers.edx: 122904761 registers.ebx: 113530218 registers.esi: 5045811 registers.ecx: 7849576 exception.instruction_r: fb 29 d2 ff 34 32 e9 18 f8 ff ff 5c 81 ec 04 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc8fc4 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 823236 exception.address: 0x4c8fc4	success
1619826880.834588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5041433 registers.eax: 30662 registers.ebp: 4117737492 registers.edx: 4294939312 registers.ebx: 3880522344 registers.esi: 5045811 registers.ecx: 7849576 exception.instruction_r: fb 68 4d df 03 7d ff 34 24 e9 e6 fc ff ff 29 d5 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc9071 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 823409 exception.address: 0x4c9071	success
1619826880.849588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5041433 registers.eax: 29083 registers.ebp: 4117737492 registers.edx: 58795849 registers.ebx: 1266390024 registers.esi: 5047126 registers.ecx: 7849576 exception.instruction_r: fb 31 c0 ff 34 06 e9 b3 ff ff ff 81 c4 04 00 00 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc9665 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 824933 exception.address: 0x4c9665	success
1619826880.849588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 26857 registers.eax: 4294940548 registers.ebp: 4117737492 registers.edx: 58795849 registers.ebx: 1266390024 registers.esi: 5047126 registers.ecx: 7849576 exception.instruction_r: fb e9 bd fa ff ff 56 89 e6 e9 74 fb ff ff c1 e6 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xc97d9 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 825305 exception.address: 0x4c97d9	success
1619826881.193588 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 0 registers.eax: 5052046 registers.ebp: 4117737492 registers.edx: 106157268 registers.ebx: 5040800 registers.esi: 64265040 registers.ecx: 33024 exception.instruction_r: fb e9 f6 fc ff ff 2d 31 1f 77 67 01 f8 05 31 1f exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xd1ad1 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 858833 exception.address: 0x4d1ad1	success
1619826881.193588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 5055375 registers.ebp: 4117737492 registers.edx: 0 registers.ebx: 5040800 registers.esi: 9193 registers.ecx: 33024 exception.instruction_r: fb 51 68 b1 15 ac 5c 59 81 e9 01 00 00 00 c1 e1 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xd16d8 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 857816 exception.address: 0x4d16d8	success
1619826881.209588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5059026 registers.eax: 27169 registers.ebp: 4117737492 registers.edx: 582600 registers.ebx: 1 registers.esi: 5067039 registers.ecx: 5093862 exception.instruction_r: fb 29 db 52 89 da 81 c2 00 00 00 00 81 c2 72 74 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xd509f exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 872607 exception.address: 0x4d509f	success
1619826881.209588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 5059026 registers.eax: 2892074381 registers.ebp: 4117737492 registers.edx: 582600 registers.ebx: 4294943144 registers.esi: 5067039 registers.ecx: 5093862 exception.instruction_r: fb 68 c5 5e 00 00 89 3c 24 e9 94 01 00 00 8f 04 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xd5344 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 873284 exception.address: 0x4d5344	success
1619826881.303588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4294939812 registers.eax: 5116650 registers.ebp: 4117737492 registers.edx: 322689 registers.ebx: 5077695 registers.esi: 64265040 registers.ecx: 33024 exception.instruction_r: fb 53 e9 71 04 00 00 81 ed 3f 2d 9b 69 01 cd 81 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xd9ce1 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 892129 exception.address: 0x4d9ce1	success
1619826881.303588 __exception__	stacktrace: registers.esp: 1638200 registers.edi: 4294939812 registers.eax: 5089626 registers.ebp: 4117737492 registers.edx: 824085085 registers.ebx: 5077695 registers.esi: 64265040 registers.ecx: 1762159729 exception.instruction_r: fb 51 56 e9 b2 03 00 00 01 f1 5e 53 52 68 66 6b exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xdae4d exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 896589 exception.address: 0x4dae4d	success
1619826881.303588 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 4294939812 registers.eax: 5119000 registers.ebp: 4117737492 registers.edx: 824085085 registers.ebx: 5077695 registers.esi: 64265040 registers.ecx: 1762159729 exception.instruction_r: fb 68 1f 1a 00 00 ff 34 24 5b 51 89 e1 e9 5f fc exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0xdaee9 exception.instruction: sti exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 896745 exception.address: 0x4daee9	success

Allocates read-write-execute memory (usually to unpack itself) (21 个事件)

Time & API	Arguments	Status
1619826881.443588 NtProtectVirtualMemory	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1619826881.443588 NtProtectVirtualMemory	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619826881.662588 NtProtectVirtualMemory	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 94208 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1619826881.756588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x040a0000	success
1619826881.771588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x040b0000	success
1619826881.771588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04100000	success
1619826881.771588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04110000	success
1619826881.771588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04120000	success
1619826881.771588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x041b0000	success
1619826881.771588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x041c0000	success
1619826881.771588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x041d0000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x046f0000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04700000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04710000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04720000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04730000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04740000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04750000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04760000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04770000	success
1619826881.787588 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04780000	success

A process attempted to delay the analysis task. (1 个事件)

description

ab56308b5b2e33d12c34f13b0d8b1667.exe tried to sleep 540 seconds, actually delayed analysis time by 540 seconds

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826881.834588 NtProtectVirtualMemory	process_identifier: 2988 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x04040000	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)

entropy

7.959736850562741

section

{'size_of_data': '0x00017000', 'virtual_address': '0x00001000', 'entropy': 7.959736850562741, 'name': ' \\x00 ', 'virtual_size': '0x00032000'}

description

A section with a high entropy has been found

entropy

7.523454328130191

section

{'size_of_data': '0x00004000', 'virtual_address': '0x00033000', 'entropy': 7.523454328130191, 'name': '.rsrc', 'virtual_size': '0x00006d4c'}

description

A section with a high entropy has been found

entropy

7.86137014116231

section

{'size_of_data': '0x000cb000', 'virtual_address': '0x0012e000', 'entropy': 7.86137014116231, 'name': 'nhgxrnnn', 'virtual_size': '0x000cb000'}

description

A section with a high entropy has been found

entropy

0.9871244635193133

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

system

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	203.208.40.33

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 185 个事件)

Time & API	Arguments	Status
1619826880.881588 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826880.881588 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826880.881588 FindWindowA	class_name: pediy06 window_name:	failed
1619826881.240588 FindWindowA	class_name: FilemonClass window_name:	failed
1619826881.240588 FindWindowA	class_name: FilemonClass window_name:	failed
1619826881.240588 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1619826881.240588 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619826881.240588 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1619826881.318588 FindWindowA	class_name: RegmonClass window_name:	failed
1619826881.318588 FindWindowA	class_name: RegmonClass window_name:	failed
1619826881.318588 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1619826881.318588 FindWindowA	class_name: 18467-41 window_name:	failed
1619826881.678588 FindWindowA	class_name: FilemonClass window_name:	failed
1619826881.678588 FindWindowA	class_name: FilemonClass window_name:	failed
1619826881.678588 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1619826881.678588 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619826881.678588 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1619826882.771588 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826882.771588 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826882.771588 FindWindowA	class_name: pediy06 window_name:	failed
1619826884.787588 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826884.787588 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826884.787588 FindWindowA	class_name: pediy06 window_name:	failed
1619826885.756588 FindWindowA	class_name: Regmonclass window_name:	failed
1619826885.756588 FindWindowA	class_name: Regmonclass window_name:	failed
1619826886.068588 FindWindowA	class_name: 18467-41 window_name:	failed
1619826886.381588 FindWindowA	class_name: Filemonclass window_name:	failed
1619826886.381588 FindWindowA	class_name: Filemonclass window_name:	failed
1619826886.381588 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619826886.803588 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826886.803588 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826886.803588 FindWindowA	class_name: pediy06 window_name:	failed
1619826888.818588 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826888.818588 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826888.818588 FindWindowA	class_name: pediy06 window_name:	failed
1619826890.381588 FindWindowA	class_name: Regmonclass window_name:	failed
1619826890.381588 FindWindowA	class_name: Regmonclass window_name:	failed
1619826890.693588 FindWindowA	class_name: 18467-41 window_name:	failed
1619826890.834588 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826890.834588 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826890.834588 FindWindowA	class_name: pediy06 window_name:	failed
1619826891.006588 FindWindowA	class_name: Filemonclass window_name:	failed
1619826891.006588 FindWindowA	class_name: Filemonclass window_name:	failed
1619826891.006588 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1619826892.849588 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826892.849588 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826892.849588 FindWindowA	class_name: pediy06 window_name:	failed
1619826894.865588 FindWindowA	class_name: OLLYDBG window_name:	failed
1619826894.865588 FindWindowA	class_name: GBDYLLO window_name:	failed
1619826894.865588 FindWindowA	class_name: pediy06 window_name:	failed

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826880.271588 __exception__	stacktrace: registers.esp: 1638236 registers.edi: 2502154 registers.eax: 1447909480 registers.ebp: 4117737492 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 4748130 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 ee 0f 00 00 52 ba 01 exception.symbol: ab56308b5b2e33d12c34f13b0d8b1667+0x8793f exception.instruction: in eax, dx exception.module: ab56308b5b2e33d12c34f13b0d8b1667.exe exception.exception_code: 0xc0000096 exception.offset: 555327 exception.address: 0x48793f	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.40650649
FireEye	Generic.mg.ab56308b5b2e33d1
CAT-QuickHeal	Trojan.Generic
Qihoo-360	Generic/Trojan.b42
McAfee	Packed-ZO!AB56308B5B2E
Cylance	Unsafe
VIPRE	Win32.Malware!Drop
Sangfor	Malware
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.40650649
K7GW	Trojan ( 005464661 )
K7AntiVirus	Trojan ( 005464661 )
BitDefenderTheta	Gen:NN.ZexaF.34670.7y2aaqiRKNmi
Cyren	W32/Zusy.BU.gen!Eldorado
Symantec	SMG.Heur!gen
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Zusy-6622765-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:Win32/Xtrat.a8ad89a8
AegisLab	Trojan.Win32.Injector.l6p7
Tencent	Win32.Trojan.Generic.Lnny
Ad-Aware	Trojan.GenericKD.40650649
Sophos	Mal/Generic-R + Mal/Agent-ATJ
Comodo	TrojWare.Win32.Agent.COC@52vn2u
F-Secure	Trojan.TR/AD.XtremeRAT.cxhrx
DrWeb	Trojan.Virtumod.11842
Zillya	Trojan.Packed.Win32.124354
TrendMicro	TROJ_STRICTOR_HA190043.UVPM
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Emsisoft	Trojan.GenericKD.40650649 (B)
Ikarus	Virus.Win32.VBInject
GData	Win32.Backdoor.XRat.A
Jiangmin	Trojan.Generic.eakhy
Avira	TR/AD.XtremeRAT.cxhrx
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Win32.AGeneric
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.bot!s1
Arcabit	Trojan.Generic.D26C4799
SUPERAntiSpyware	Trojan.Agent/Gen-Zusy
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Backdoor:Win32/Xtrat
Cynet	Malicious (score: 100)
AhnLab-V3	Backdoor/Win32.Xtreme.C2357910
Acronis	suspicious
VBA32	Backdoor.Xtreme
ALYac	Trojan.GenericKD.40650649

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2017-09-03 09:10:44

Imports

Library kernel32.dll:

• 0x43a033 lstrcpy

Library comctl32.dll:

• 0x43a03b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.