SmartHawk

10.8

0-day

57 个模型检测该样本为恶意！

重新分析

下载样本

198a4408b6ee2f54311852177283c165366c4df25ffa920f863d51e35d7d2fa3

a04ed05bc56216b76fd84b13ca469103.exe

分析耗时

90s

最近分析

文件大小

2.0MB

静态报毒动态报毒 @Z0AAUJY35II AGEN AI SCORE=88 AIDETECTVM ARTEMIS ATTRIBUTE COINSTEALER CONFIDENCE FAKEAVRENA GENERIC@ML GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HWFDUB ICLOADER JV2ZSXU35XRW LJAC MALWARE1 MALWARE@#26ALNBY0TH5MB MULDROP13 PACKEDTHEMIDA QVM19 R057C0DIE20 RDMK SCORE SCROP SKEEYAH STATIC AI SUSGEN SUSPICIOUS PE THEMIDA TROJANX TSCOPE UNSAFE WRNP7LVUQ ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!A04ED05BC562	20201116	6.0.6.653
Alibaba	TrojanDropper:Win32/Scrop.b7f2d18f	20190527	0.3.0.5
Avast	Win32:TrojanX-gen [Trj]	20201116	20.10.5736.0
Baidu		20190318	1.0.0.2
Kingsoft		20201116	2013.8.14.323
Tencent	Win32.Trojan-dropper.Scrop.Ljac	20201116	1.0.0.1
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1620985511.744503 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620985511.744503 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620985511.948503 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (40 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985509.198503 IsDebuggerPresent		failed	0	0
1620985511.057503 IsDebuggerPresent		failed	0	0
1620987165.464876 IsDebuggerPresent		failed	0	0
1620987165.652876 IsDebuggerPresent		failed	0	0
1620987167.433876 IsDebuggerPresent		failed	0	0
1620987169.449876 IsDebuggerPresent		failed	0	0
1620987171.464876 IsDebuggerPresent		failed	0	0
1620987173.480876 IsDebuggerPresent		failed	0	0
1620987175.495876 IsDebuggerPresent		failed	0	0
1620987177.511876 IsDebuggerPresent		failed	0	0
1620987179.527876 IsDebuggerPresent		failed	0	0
1620987181.542876 IsDebuggerPresent		failed	0	0
1620987183.558876 IsDebuggerPresent		failed	0	0
1620987185.574876 IsDebuggerPresent		failed	0	0
1620987187.589876 IsDebuggerPresent		failed	0	0
1620987189.605876 IsDebuggerPresent		failed	0	0
1620987191.620876 IsDebuggerPresent		failed	0	0
1620987193.636876 IsDebuggerPresent		failed	0	0
1620987195.652876 IsDebuggerPresent		failed	0	0
1620987197.667876 IsDebuggerPresent		failed	0	0
1620987199.683876 IsDebuggerPresent		failed	0	0
1620987201.699876 IsDebuggerPresent		failed	0	0
1620987203.714876 IsDebuggerPresent		failed	0	0
1620987205.730876 IsDebuggerPresent		failed	0	0
1620987207.745876 IsDebuggerPresent		failed	0	0
1620987209.761876 IsDebuggerPresent		failed	0	0
1620987211.777876 IsDebuggerPresent		failed	0	0
1620987213.792876 IsDebuggerPresent		failed	0	0
1620987215.808876 IsDebuggerPresent		failed	0	0
1620987217.824876 IsDebuggerPresent		failed	0	0
1620987219.839876 IsDebuggerPresent		failed	0	0
1620987221.855876 IsDebuggerPresent		failed	0	0
1620987223.902876 IsDebuggerPresent		failed	0	0
1620987225.917876 IsDebuggerPresent		failed	0	0
1620987227.933876 IsDebuggerPresent		failed	0	0
1620987229.964876 IsDebuggerPresent		failed	0	0
1620987232.027876 IsDebuggerPresent		failed	0	0
1620987234.058876 IsDebuggerPresent		failed	0	0
1620987236.105876 IsDebuggerPresent		failed	0	0
1620987238.152876 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985509.885503 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	iebwhldh
section	hxnyzxbi

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

CURSOR

One or more processes crashed (50 out of 218 个事件)

Time & API	Arguments	Status
1620985508.635503 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1505708 registers.edi: 0 registers.eax: 1 registers.ebp: 1505724 registers.edx: 23273472 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x3140b9 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 3227833 exception.address: 0x14940b9	success
1620985508.635503 __exception__	stacktrace: registers.esp: 1505672 registers.edi: 1983119592 registers.eax: 27338 registers.ebp: 4008861716 registers.edx: 18840952 registers.ebx: 24411 registers.esi: 3 registers.ecx: 1983315968 exception.instruction_r: fb 52 89 34 24 e9 31 fc ff ff 5a 81 c2 00 c4 57 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x781d6 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 491990 exception.address: 0x11f81d6	success
1620985508.635503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 1983119592 registers.eax: 236777 registers.ebp: 4008861716 registers.edx: 18843806 registers.ebx: 24411 registers.esi: 3 registers.ecx: 0 exception.instruction_r: fb 52 e9 e6 f7 ff ff 58 31 c7 ff 34 24 e9 78 f6 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x78707 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 493319 exception.address: 0x11f8707	success
1620985508.635503 __exception__	stacktrace: registers.esp: 1505672 registers.edi: 1983119592 registers.eax: 18845135 registers.ebp: 4008861716 registers.edx: 18843806 registers.ebx: 1658421660 registers.esi: 3 registers.ecx: 1331332356 exception.instruction_r: fb 53 bb 6e 01 ab 6b 81 cb 90 bf 6f 3f 81 c3 29 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x79078 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 495736 exception.address: 0x11f9078	success
1620985508.635503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 1983119592 registers.eax: 18848455 registers.ebp: 4008861716 registers.edx: 18843806 registers.ebx: 0 registers.esi: 1259 registers.ecx: 1331332356 exception.instruction_r: fb 57 53 89 e3 81 c3 04 00 00 00 e9 d4 fe ff ff exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x795ce exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 497102 exception.address: 0x11f95ce	success
1620985508.635503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 20400528 registers.eax: 26164 registers.ebp: 4008861716 registers.edx: 2345 registers.ebx: 143360 registers.esi: 20373920 registers.ecx: 3691118592 exception.instruction_r: fb 53 56 89 e6 55 50 b8 04 00 00 00 89 c5 58 e9 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1eeabe exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2026174 exception.address: 0x136eabe	success
1620985508.635503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 20377732 registers.eax: 26164 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 143360 registers.esi: 606898519 registers.ecx: 3691118592 exception.instruction_r: fb 83 ec 04 89 3c 24 53 e9 f3 fd ff ff 5d 87 34 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1eeb45 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2026309 exception.address: 0x136eb45	success
1620985508.651503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 20428135 registers.eax: 29951 registers.ebp: 4008861716 registers.edx: 3746802547 registers.ebx: 20396162 registers.esi: 14458 registers.ecx: 0 exception.instruction_r: fb e9 00 00 00 00 83 ec 04 89 34 24 89 0c 24 e9 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1f4ad7 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2050775 exception.address: 0x1374ad7	success
1620985508.651503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 20400871 registers.eax: 0 registers.ebp: 4008861716 registers.edx: 3746802547 registers.ebx: 20396162 registers.esi: 50665 registers.ecx: 0 exception.instruction_r: fb 68 68 d7 50 7a 89 04 24 81 ec 04 00 00 00 89 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1f4349 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2048841 exception.address: 0x1374349	success
1620985508.651503 __exception__	stacktrace: registers.esp: 1505672 registers.edi: 20400871 registers.eax: 30509 registers.ebp: 4008861716 registers.edx: 327339520 registers.ebx: 988741028 registers.esi: 20403339 registers.ecx: 887434970 exception.instruction_r: fb 81 c6 4d 23 d9 3f 68 d6 bd 8f 22 89 3c 24 bf exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1f54b7 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2053303 exception.address: 0x13754b7	success
1620985508.651503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 20400871 registers.eax: 30509 registers.ebp: 4008861716 registers.edx: 327339520 registers.ebx: 988741028 registers.esi: 20433848 registers.ecx: 887434970 exception.instruction_r: fb 50 b8 a1 6f f1 7b 50 56 e9 ec 03 00 00 83 ec exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1f5b21 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2054945 exception.address: 0x1375b21	success
1620985508.651503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 0 registers.eax: 202985 registers.ebp: 4008861716 registers.edx: 327339520 registers.ebx: 988741028 registers.esi: 20406180 registers.ecx: 887434970 exception.instruction_r: fb 52 89 34 24 55 bd df 2e a5 7f be 95 0d 82 40 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1f58cd exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2054349 exception.address: 0x13758cd	success
1620985508.666503 __exception__	stacktrace: registers.esp: 1505668 registers.edi: 4140554 registers.eax: 1447909480 registers.ebp: 4008861716 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 20435486 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 2f 0b 00 00 68 35 c2 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1ff9a6 exception.instruction: in eax, dx exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2095526 exception.address: 0x137f9a6	success
1620985508.666503 __exception__	stacktrace: registers.esp: 1505668 registers.edi: 4140554 registers.eax: 1 registers.ebp: 4008861716 registers.edx: 22104 registers.ebx: 0 registers.esi: 20435486 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1fe197 exception.address: 0x137e197 exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc000001d exception.offset: 2089367	success
1620985508.666503 __exception__	stacktrace: registers.esp: 1505668 registers.edi: 4140554 registers.eax: 1447909480 registers.ebp: 4008861716 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20435486 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 97 29 2d 12 01 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x201eed exception.instruction: in eax, dx exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2105069 exception.address: 0x1381eed	success
1620985508.854503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 20502652 registers.eax: 31770 registers.ebp: 4008861716 registers.edx: 2130566132 registers.ebx: 67285906 registers.esi: 1375758944 registers.ecx: 4294937948 exception.instruction_r: fb 51 e9 16 f9 ff ff 81 f5 ae 0e 1a c7 31 e9 5d exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x206565 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2123109 exception.address: 0x1386565	success
1620985508.854503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 0 registers.eax: 1505636 registers.ebp: 4008861716 registers.edx: 1499036088 registers.ebx: 20474075 registers.esi: 0 registers.ecx: 4294937948 exception.instruction_r: cd 01 eb 00 66 8b d1 e9 06 00 00 00 0a 00 6f f7 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x2067c9 exception.instruction: int 1 exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000005 exception.offset: 2123721 exception.address: 0x13867c9	success
1620985508.854503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 20502652 registers.eax: 27761 registers.ebp: 4008861716 registers.edx: 20474562 registers.ebx: 20529251 registers.esi: 1375753571 registers.ecx: 20474562 exception.instruction_r: fb 51 e9 5e 02 00 00 56 89 e6 81 c6 04 00 00 00 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x20d717 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2152215 exception.address: 0x138d717	success
1620985508.854503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 0 registers.eax: 9496915 registers.ebp: 4008861716 registers.edx: 20474562 registers.ebx: 20504675 registers.esi: 1375753571 registers.ecx: 20474562 exception.instruction_r: fb 51 89 2c 24 e9 e6 05 00 00 8f 04 24 8b 24 24 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x20d737 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2152247 exception.address: 0x138d737	success
1620985509.026503 __exception__	stacktrace: registers.esp: 1505676 registers.edi: 20567393 registers.eax: 262633 registers.ebp: 4008861716 registers.edx: 6 registers.ebx: 4294939692 registers.esi: 1983190032 registers.ecx: 0 exception.instruction_r: fb 68 a2 c8 80 39 89 34 24 e9 80 00 00 00 87 14 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x21622f exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2187823 exception.address: 0x139622f	success
1620985509.026503 __exception__	stacktrace: registers.esp: 1505668 registers.edi: 0 registers.eax: 29978 registers.ebp: 4008861716 registers.edx: 20551528 registers.ebx: 389097 registers.esi: 1983190032 registers.ecx: 884194034 exception.instruction_r: fb e9 d0 00 00 00 87 2c 24 5c 89 2c 24 e9 b5 02 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x219447 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2200647 exception.address: 0x1399447	success
1620985509.026503 __exception__	stacktrace: registers.esp: 1505668 registers.edi: 84201 registers.eax: 20589053 registers.ebp: 4008861716 registers.edx: 1132892354 registers.ebx: 1352792321 registers.esi: 1983190032 registers.ecx: 4294944600 exception.instruction_r: fb 52 56 52 c7 04 24 b8 b7 fe 62 5e e9 59 fb ff exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x21cf61 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2215777 exception.address: 0x139cf61	success
1620985509.041503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 4294940860 registers.eax: 29519 registers.ebp: 4008861716 registers.edx: 2130566132 registers.ebx: 1459645024 registers.esi: 20724818 registers.ecx: 2151258253 exception.instruction_r: fb 68 43 4e 65 2d 89 2c 24 bd dd ce 23 05 51 89 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x23d30b exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2347787 exception.address: 0x13bd30b	success
1620985509.041503 __exception__	stacktrace: registers.esp: 1505632 registers.edi: 20699191 registers.eax: 20699716 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 0 registers.esi: 20698411 registers.ecx: 0 exception.instruction_r: fb 05 cc 8c e0 4f e9 39 fc ff ff 57 bf e0 a8 ef exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x23de70 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2350704 exception.address: 0x13bde70	success
1620985509.041503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 20699191 registers.eax: 20730979 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 0 registers.esi: 20698411 registers.ecx: 0 exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 c7 04 24 01 99 d3 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x23e171 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2351473 exception.address: 0x13be171	success
1620985509.057503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 1459645024 registers.eax: 20702943 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 d7 05 00 00 5d 01 da 5b 01 f2 e9 5b 04 00 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x23dc98 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2350232 exception.address: 0x13bdc98	success
1620985509.057503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 1459645024 registers.eax: 32446 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 20737616 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 ca 01 00 00 29 fd 5f 31 eb 8b 2c 24 81 c4 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x23f7d5 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2357205 exception.address: 0x13bf7d5	success
1620985509.057503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 1459645024 registers.eax: 4294937884 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 20737616 registers.esi: 607947090 registers.ecx: 0 exception.instruction_r: fb 68 3f 1e 7c 6a 89 04 24 b8 f3 24 ff 66 e9 cc exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x23f40d exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2356237 exception.address: 0x13bf40d	success
1620985509.057503 __exception__	stacktrace: registers.esp: 1505632 registers.edi: 1459645024 registers.eax: 30807 registers.ebp: 4008861716 registers.edx: 246926527 registers.ebx: 20708610 registers.esi: 607947090 registers.ecx: 1148810396 exception.instruction_r: fb e9 09 fa ff ff 5c ff 33 68 43 fd cc 23 89 1c exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x24052f exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2360623 exception.address: 0x13c052f	success
1620985509.057503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 1459645024 registers.eax: 30807 registers.ebp: 4008861716 registers.edx: 246926527 registers.ebx: 20739417 registers.esi: 607947090 registers.ecx: 1148810396 exception.instruction_r: fb e9 49 00 00 00 05 61 72 e7 5e 01 d8 2d 61 72 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x24023f exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2359871 exception.address: 0x13c023f	success
1620985509.057503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 44777 registers.eax: 30807 registers.ebp: 4008861716 registers.edx: 246926527 registers.ebx: 20711629 registers.esi: 607947090 registers.ecx: 0 exception.instruction_r: fb 57 51 c7 04 24 3f 6f 77 7e 8b 3c 24 83 c4 04 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x24081a exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2361370 exception.address: 0x13c081a	success
1620985509.057503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 20729746 registers.eax: 0 registers.ebp: 4008861716 registers.edx: 2130378752 registers.ebx: 65802 registers.esi: 607947090 registers.ecx: 689675661 exception.instruction_r: fb 50 b8 af 39 d2 2e ba c6 be 0d 51 31 c2 e9 e6 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x2444c0 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2376896 exception.address: 0x13c44c0	success
1620985509.073503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 20729746 registers.eax: 27524 registers.ebp: 4008861716 registers.edx: 4294942716 registers.ebx: 69353 registers.esi: 20757757 registers.ecx: 689675661 exception.instruction_r: fb 56 c7 04 24 ef c8 7d 0f 83 ec 04 89 14 24 ba exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x2454e5 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2381029 exception.address: 0x13c54e5	success
1620985509.073503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 20744312 registers.eax: 0 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 69354 registers.esi: 20740696 registers.ecx: 81129 exception.instruction_r: fb e9 a7 fd ff ff 55 89 0c 24 ff 34 24 58 81 c4 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x248651 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2393681 exception.address: 0x13c8651	success
1620985509.073503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 20744312 registers.eax: 20780088 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 69354 registers.esi: 20740696 registers.ecx: 1458479234 exception.instruction_r: fb 51 c7 04 24 fb 25 5f 7f ff 04 24 c1 24 24 02 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x249df3 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2399731 exception.address: 0x13c9df3	success
1620985509.073503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 20744312 registers.eax: 20750140 registers.ebp: 4008861716 registers.edx: 0 registers.ebx: 0 registers.esi: 20740696 registers.ecx: 2298801283 exception.instruction_r: fb e9 61 00 00 00 8b 3c 24 83 c4 04 e9 e3 ff ff exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x2494a1 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2397345 exception.address: 0x13c94a1	success
1620985509.088503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 20744312 registers.eax: 28455 registers.ebp: 4008861716 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 20810639 registers.ecx: 3691118592 exception.instruction_r: fb 68 11 ff e6 58 89 0c 24 c7 04 24 34 65 9b 7b exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x252813 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2435091 exception.address: 0x13d2813	success
1620985509.088503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 0 registers.eax: 604292949 registers.ebp: 4008861716 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 20785219 registers.ecx: 3691118592 exception.instruction_r: fb e9 35 04 00 00 5b 03 34 24 50 b8 54 6a 9f 6e exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x251f8b exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2432907 exception.address: 0x13d1f8b	success
1620985509.088503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 20820925 registers.eax: 26491 registers.ebp: 4008861716 registers.edx: 2417608 registers.ebx: 604292947 registers.esi: 0 registers.ecx: 20845774 exception.instruction_r: fb 57 c7 04 24 d2 33 f3 49 89 34 24 89 0c 24 89 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x260c85 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2493573 exception.address: 0x13e0c85	success
1620985509.198503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 4023124090 registers.eax: 3205461 registers.ebp: 4008861716 registers.edx: 2417608 registers.ebx: 20894568 registers.esi: 0 registers.ecx: 23306901 exception.instruction_r: fb 56 89 3c 24 52 c7 04 24 76 3b 5b 33 e9 dd 09 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x26c72c exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2541356 exception.address: 0x13ec72c	success
1620985509.198503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 4023124090 registers.eax: 30615 registers.ebp: 4008861716 registers.edx: 20925636 registers.ebx: 1623700571 registers.esi: 0 registers.ecx: 23306901 exception.instruction_r: fb e9 9c ff ff ff bb 72 95 f7 1f 81 eb 2f c6 78 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x26dd7a exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2547066 exception.address: 0x13edd7a	success
1620985509.198503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 4023124090 registers.eax: 30615 registers.ebp: 4008861716 registers.edx: 20897904 registers.ebx: 1623700571 registers.esi: 0 registers.ecx: 2298801283 exception.instruction_r: fb 68 84 3d 2d 3d e9 cd fa ff ff 89 14 24 ff 74 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x26dbcd exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2546637 exception.address: 0x13edbcd	success
1620985509.213503 __exception__	stacktrace: registers.esp: 1505632 registers.edi: 0 registers.eax: 20961222 registers.ebp: 4008861716 registers.edx: 12 registers.ebx: 20927028 registers.esi: 9345872 registers.ecx: 13 exception.instruction_r: fb 51 b9 cd d3 6f 4d e9 1c fe ff ff 29 c8 2d 5d exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x27e2d0 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2613968 exception.address: 0x13fe2d0	success
1620985509.213503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 0 registers.eax: 20993944 registers.ebp: 4008861716 registers.edx: 12 registers.ebx: 20927028 registers.esi: 9345872 registers.ecx: 13 exception.instruction_r: fb 53 c7 04 24 4e a8 fd 73 81 24 24 e1 ff 7f 02 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x27e33b exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2614075 exception.address: 0x13fe33b	success
1620985509.213503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 0 registers.eax: 20964360 registers.ebp: 4008861716 registers.edx: 12 registers.ebx: 0 registers.esi: 9345872 registers.ecx: 3924134229 exception.instruction_r: fb 83 ec 04 e9 ee 03 00 00 8b 24 24 57 c7 04 24 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x27de3a exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2612794 exception.address: 0x13fde3a	success
1620985509.244503 __exception__	stacktrace: registers.esp: 1505632 registers.edi: 0 registers.eax: 28532 registers.ebp: 4008861716 registers.edx: 2130566132 registers.ebx: 21034052 registers.esi: 2010382348 registers.ecx: 3691118592 exception.instruction_r: fb e9 48 fd ff ff ba b6 ba 5d 6f e9 30 00 00 00 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x28fa51 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2685521 exception.address: 0x140fa51	success
1620985509.244503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 0 registers.eax: 28532 registers.ebp: 4008861716 registers.edx: 2130566132 registers.ebx: 21062584 registers.esi: 2010382348 registers.ecx: 3691118592 exception.instruction_r: fb 52 ba 44 b9 6d 2b e9 43 00 00 00 bb 72 cb fd exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x28fdb0 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2686384 exception.address: 0x140fdb0	success
1620985509.244503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 0 registers.eax: 322689 registers.ebp: 4008861716 registers.edx: 2130566132 registers.ebx: 21037092 registers.esi: 0 registers.ecx: 3691118592 exception.instruction_r: fb 53 e9 5c fb ff ff 51 b9 04 00 00 00 01 4c 24 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x28fc2e exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2685998 exception.address: 0x140fc2e	success
1620985509.244503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 4008861716 registers.eax: 32917 registers.ebp: 4008861716 registers.edx: 14346582 registers.ebx: 21046431 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb 83 ec 04 e9 73 03 00 00 89 2c 24 bd d1 fa e7 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x291d89 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2694537 exception.address: 0x1411d89	success
1620985509.291503 __exception__	stacktrace: registers.esp: 1505636 registers.edi: 4294939600 registers.eax: 30427 registers.ebp: 4008861716 registers.edx: 3806941265 registers.ebx: 16910336 registers.esi: 20729877 registers.ecx: 21112156 exception.instruction_r: fb 53 53 c7 04 24 c1 e2 bf 5f e9 b0 f9 ff ff 81 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x29b8f3 exception.instruction: sti exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2734323 exception.address: 0x141b8f3	success

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 个事件)

Time & API	Arguments	Status
1620985509.229503 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620985509.229503 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620985509.354503 NtProtectVirtualMemory	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01181000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00900000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00910000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009b0000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009c0000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b20000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b30000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b80000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bd0000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c20000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c70000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d90000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00de0000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e30000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e40000	success
1620985509.401503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success
1620985509.416503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success
1620985509.416503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f90000	success
1620985509.416503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00fe0000	success
1620985509.416503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01130000	success
1620985509.416503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success
1620985509.416503 NtAllocateVirtualMemory	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success
1620986806.49927 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004060000	success
1620987165.464876 NtProtectVirtualMemory	process_identifier: 3164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620987165.464876 NtProtectVirtualMemory	process_identifier: 3164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620987165.558876 NtProtectVirtualMemory	process_identifier: 3164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01201000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008a0000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008b0000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008d0000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008e0000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00970000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a10000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a20000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bb0000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d40000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d90000	success
1620987165.589876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00da0000	success
1620987165.605876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00df0000	success
1620987165.605876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e00000	success
1620987165.605876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00f10000	success
1620987165.605876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00970000	success
1620987165.605876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00970000	success
1620987165.605876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01080000	success
1620987165.605876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x011d0000	success
1620987165.605876 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x011e0000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 个事件)

description

SmartClock.exe tried to sleep 645 seconds, actually delayed analysis time by 645 seconds

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.982489445020938

section

{'size_of_data': '0x0000fc00', 'virtual_address': '0x00001000', 'entropy': 7.982489445020938, 'name': ' \\x00 ', 'virtual_size': '0x00023000'}

description

A section with a high entropy has been found

entropy

7.95333402732865

section

{'size_of_data': '0x0019d200', 'virtual_address': '0x00314000', 'entropy': 7.95333402732865, 'name': 'iebwhldh', 'virtual_size': '0x0019e000'}

description

A section with a high entropy has been found

entropy

0.8413437959784208

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

system

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 235 个事件)

Time & API	Arguments	Status
1620985509.088503 FindWindowA	class_name: OLLYDBG window_name:	failed
1620985509.088503 FindWindowA	class_name: GBDYLLO window_name:	failed
1620985509.088503 FindWindowA	class_name: pediy06 window_name:	failed
1620985509.198503 FindWindowA	class_name: FilemonClass window_name:	failed
1620985509.198503 FindWindowA	class_name: FilemonClass window_name:	failed
1620985509.198503 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620985509.198503 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620985509.198503 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620985509.213503 FindWindowA	class_name: RegmonClass window_name:	failed
1620985509.213503 FindWindowA	class_name: RegmonClass window_name:	failed
1620985509.213503 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1620985509.213503 FindWindowA	class_name: 18467-41 window_name:	failed
1620985509.354503 FindWindowA	class_name: FilemonClass window_name:	failed
1620985509.354503 FindWindowA	class_name: FilemonClass window_name:	failed
1620985509.354503 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620985509.354503 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620985509.354503 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620985511.057503 FindWindowA	class_name: OLLYDBG window_name:	failed
1620985511.057503 FindWindowA	class_name: GBDYLLO window_name:	failed
1620985511.057503 FindWindowA	class_name: pediy06 window_name:	failed
1620987165.449876 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987165.449876 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987165.449876 FindWindowA	class_name: pediy06 window_name:	failed
1620987165.464876 FindWindowA	class_name: FilemonClass window_name:	failed
1620987165.464876 FindWindowA	class_name: FilemonClass window_name:	failed
1620987165.464876 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620987165.464876 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620987165.464876 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620987165.464876 FindWindowA	class_name: RegmonClass window_name:	failed
1620987165.464876 FindWindowA	class_name: RegmonClass window_name:	failed
1620987165.464876 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1620987165.464876 FindWindowA	class_name: 18467-41 window_name:	failed
1620987165.542876 FindWindowA	class_name: FilemonClass window_name:	failed
1620987165.542876 FindWindowA	class_name: FilemonClass window_name:	failed
1620987165.542876 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620987165.542876 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620987165.542876 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620987167.433876 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987167.433876 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987167.433876 FindWindowA	class_name: pediy06 window_name:	failed
1620987169.449876 FindWindowA	class_name: OLLYDBG window_name:	failed
1620987169.449876 FindWindowA	class_name: GBDYLLO window_name:	failed
1620987169.449876 FindWindowA	class_name: pediy06 window_name:	failed
1620987169.605876 FindWindowA	class_name: Regmonclass window_name:	failed
1620987169.605876 FindWindowA	class_name: Regmonclass window_name:	failed
1620987169.917876 FindWindowA	class_name: 18467-41 window_name:	failed
1620987170.230876 FindWindowA	class_name: Filemonclass window_name:	failed
1620987170.230876 FindWindowA	class_name: Filemonclass window_name:	failed
1620987170.230876 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620987171.464876 FindWindowA	class_name: OLLYDBG window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985508.666503 __exception__	stacktrace: registers.esp: 1505668 registers.edi: 4140554 registers.eax: 1447909480 registers.ebp: 4008861716 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 20435486 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 2f 0b 00 00 68 35 c2 exception.symbol: a04ed05bc56216b76fd84b13ca469103+0x1ff9a6 exception.instruction: in eax, dx exception.module: a04ed05bc56216b76fd84b13ca469103.exe exception.exception_code: 0xc0000096 exception.offset: 2095526 exception.address: 0x137f9a6	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

Generates some ICMP traffic

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.MulDrop13.64396
MicroWorld-eScan	Trojan.GenericKD.34507594
FireEye	Generic.mg.a04ed05bc56216b7
CAT-QuickHeal	Trojan.Generic
McAfee	Artemis!A04ED05BC562
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 00569d041 )
Alibaba	TrojanDropper:Win32/Scrop.b7f2d18f
K7GW	Trojan ( 00569d041 )
Cybereason	malicious.7946a4
Arcabit	Trojan.Generic.D20E8B4A
Invincea	Mal/Generic-S
BitDefenderTheta	Gen:NN.ZexaF.34634.@z0aauJY35ii
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Dropper.Win32.Scrop.vho
BitDefender	Trojan.GenericKD.34507594
NANO-Antivirus	Trojan.Win32.Scrop.hwfdub
Paloalto	generic.ml
Rising	Trojan.Generic@ML.100 (RDMK:jv2zsXu35XRw/wRnp7LvUQ)
Ad-Aware	Trojan.GenericKD.34507594
Emsisoft	Trojan.GenericKD.34507594 (B)
Comodo	Malware@#26alnby0th5mb
F-Secure	Heuristic.HEUR/AGEN.1134358
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R057C0DIE20
McAfee-GW-Edition	BehavesLike.Win32.FakeAVRena.tc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1134358
Antiy-AVL	Trojan[Dropper]/Win32.Scrop
Gridinsoft	Trojan.Win32.Packed.oa
Microsoft	Trojan:Win32/Skeeyah.B!rfn
AegisLab	Trojan.Win32.Scrop.b!c
ZoneAlarm	HEUR:Trojan-Dropper.Win32.Scrop.vho
GData	Trojan.GenericKD.34507594
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Scrop.C4152230
ALYac	Trojan.GenericKD.34507594
MAX	malware (ai score=88)
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.ICLoader
ESET-NOD32	a variant of Win32/Packed.Themida.HMI
TrendMicro-HouseCall	TROJ_GEN.R057C0DIE20
Tencent	Win32.Trojan-dropper.Scrop.Ljac

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-15 02:59:56

Imports

Library kernel32.dll:

• 0x475033 lstrcpy

Library comctl32.dll:

• 0x47503b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	62192	239.255.255.250	3702
192.168.56.101	65005	239.255.255.250	3702
192.168.56.101	65007	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.