SmartHawk

Time & API	Arguments	Status
1619281448.877125 __exception__	stacktrace: 26b47b54536e9c45a5d8e9f9141b9859+0xa68427 @ 0xe68427 26b47b54536e9c45a5d8e9f9141b9859+0x980bad @ 0xd80bad registers.esp: 22150916 registers.edi: 11444224 registers.eax: 22150916 registers.ebp: 22150996 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2010805291 registers.ecx: 3320905728 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x778eb727	success
1619281448.939125 __exception__	stacktrace: registers.esp: 22151036 registers.edi: 2960906 registers.eax: 1750617430 registers.ebp: 11444224 registers.edx: 22614 registers.ebx: 4194304 registers.esi: 11808892 registers.ecx: 20 exception.instruction_r: ed e9 49 f9 03 00 c3 e9 a7 91 ff ff 1e fb 6e 91 exception.symbol: 26b47b54536e9c45a5d8e9f9141b9859+0xa488a6 exception.instruction: in eax, dx exception.module: 26b47b54536e9c45a5d8e9f9141b9859.exe exception.exception_code: 0xc0000096 exception.offset: 10782886 exception.address: 0xe488a6	success
1619281448.939125 __exception__	stacktrace: registers.esp: 22151036 registers.edi: 2960906 registers.eax: 1447909480 registers.ebp: 11444224 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 11808892 registers.ecx: 10 exception.instruction_r: ed e9 11 96 04 00 cf e9 c5 12 18 00 0e 00 00 00 exception.symbol: 26b47b54536e9c45a5d8e9f9141b9859+0xa2ee26 exception.instruction: in eax, dx exception.module: 26b47b54536e9c45a5d8e9f9141b9859.exe exception.exception_code: 0xc0000096 exception.offset: 10677798 exception.address: 0xe2ee26	success
1619281454.408502 __exception__	stacktrace: ivm31_protected+0x3f031f @ 0x7f031f ivm31_protected+0x372b2d @ 0x772b2d registers.esp: 1638148 registers.edi: 4886528 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 1638276 registers.esi: 2010805291 registers.ecx: 4203085824 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x778eb727	success
1619281454.471502 __exception__	stacktrace: registers.esp: 1638268 registers.edi: 3026022 registers.eax: 1750617430 registers.ebp: 4886528 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 5123880 registers.ecx: 20 exception.instruction_r: ed e9 84 7a 11 00 c3 e9 7d 8c 12 00 75 92 33 34 exception.symbol: ivm31_protected+0x334776 exception.instruction: in eax, dx exception.module: ivm31_protected.exe exception.exception_code: 0xc0000096 exception.offset: 3360630 exception.address: 0x734776	success
1619281454.471502 __exception__	stacktrace: registers.esp: 1638268 registers.edi: 3026022 registers.eax: 1447909480 registers.ebp: 4886528 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 5123880 registers.ecx: 10 exception.instruction_r: ed e9 46 28 ff ff d6 f1 ff ff 5f 82 12 0e cb 88 exception.symbol: ivm31_protected+0x44613e exception.instruction: in eax, dx exception.module: ivm31_protected.exe exception.exception_code: 0xc0000096 exception.offset: 4481342 exception.address: 0x84613e	success
1619281456.986 __exception__	stacktrace: ivm32_protected+0x4a15b2 @ 0xdb15b2 ivm32_protected+0x4a422e @ 0xdb422e registers.esp: 2816612 registers.edi: 11005952 registers.eax: 2816612 registers.ebp: 2816692 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2010805291 registers.ecx: 3837198336 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x778eb727	success
1619281456.986 __exception__	stacktrace: registers.esp: 2816732 registers.edi: 4926686 registers.eax: 1750617430 registers.ebp: 11005952 registers.edx: 1071190 registers.ebx: 0 registers.esi: 13 registers.ecx: 20 exception.instruction_r: ed e9 e8 dc ff ff 03 34 5c 29 32 59 a1 06 f7 23 exception.symbol: ivm32_protected+0x4c8a60 exception.instruction: in eax, dx exception.module: ivm32_protected.exe exception.exception_code: 0xc0000096 exception.offset: 5016160 exception.address: 0xdd8a60	success
1619281456.986 __exception__	stacktrace: registers.esp: 2816732 registers.edi: 4926686 registers.eax: 1447909480 registers.ebp: 11005952 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10 exception.instruction_r: ed e9 69 e2 0e 00 c3 e9 37 48 01 00 0c 00 8d 00 exception.symbol: ivm32_protected+0x3fdc7e exception.instruction: in eax, dx exception.module: ivm32_protected.exe exception.exception_code: 0xc0000096 exception.offset: 4185214 exception.address: 0xd0dc7e	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 个事件)

request

GET http://ip-api.com/line

Resolves a suspicious Top Level Domain (TLD) (3 个事件)

domain	sdaurr04.top	description	Generic top level domain TLD
domain	asload02.top	description	Generic top level domain TLD
domain	moraa03.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (18 个事件)

Time & API	Arguments	Status
1619281448.877125 NtProtectVirtualMemory	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1619281448.877125 NtProtectVirtualMemory	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619281449.236125 NtProtectVirtualMemory	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004bf000	success
1619281449.236125 NtProtectVirtualMemory	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0049f000	success
1619281449.236125 NtProtectVirtualMemory	process_identifier: 420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0049f000	success
1619281454.377502 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1619281454.377502 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619281454.502502 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0049b000	success
1619281454.502502 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00484000	success
1619281454.502502 NtProtectVirtualMemory	process_identifier: 428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00484000	success
1619281463.268502 NtAllocateVirtualMemory	process_identifier: 428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04730000	success
1619281456.939 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1619281456.939 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1619281457.096 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x009b9000	success
1619281457.096 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0099d000	success
1619281457.096 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0099d000	success
1619281457.143 NtProtectVirtualMemory	process_identifier: 2528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 122880 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0099d000	success
1619281462.377 NtAllocateVirtualMemory	process_identifier: 2528 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03950000	success

A process attempted to delay the analysis task. (3 个事件)

description	ivm31_protected.exe tried to sleep 145 seconds, actually delayed analysis time by 145 seconds
description	26b47b54536e9c45a5d8e9f9141b9859.exe tried to sleep 133 seconds, actually delayed analysis time by 133 seconds
description	ivm32_protected.exe tried to sleep 144 seconds, actually delayed analysis time by 144 seconds

Steals private information from local Internet browsers (38 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 3\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 1\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\LoginDataCopy-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Profile 2\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 3\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 1\LoginDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Profile 2\CookiesCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\WebDataCopy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\CookiesCopy

Looks up the external IP address (1 个事件)

domain

ip-api.com

Creates executable files on the filesystem (2 个事件)

file	C:\ProgramData\Gds\ivm32_protected.exe
file	C:\ProgramData\Gds\ivm31_protected.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619281459.346125 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (6 个事件)

entropy

7.976173180922792

section

{'size_of_data': '0x00053e00', 'virtual_address': '0x00001000', 'entropy': 7.976173180922792, 'name': ' ', 'virtual_size': '0x0009d5d1'}

description