SmartHawk

8.8

极危

该样本未表现出任何异常！

重新分析

下载样本

14cccfdfec5ad5bb0a8c12e1c07c2dc92a21c3171b5bdc1ed026bad21611d0b7

a0e5fe139aef001e51163aca10d59cd1.exe

分析耗时

94s

最近分析

文件大小

2.1MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1621012505.63375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621012505.64975 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621012505.93075 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (41 个事件)

Time & API	Arguments	Status	Return	Repeated
1621012502.35275 IsDebuggerPresent		failed	0	0
1621012504.36775 IsDebuggerPresent		failed	0	0
1621012506.41475 IsDebuggerPresent		failed	0	0
1621012507.492 IsDebuggerPresent		failed	0	0
1621012507.695 IsDebuggerPresent		failed	0	0
1621012509.524 IsDebuggerPresent		failed	0	0
1621012511.539 IsDebuggerPresent		failed	0	0
1621012513.649 IsDebuggerPresent		failed	0	0
1621012515.664 IsDebuggerPresent		failed	0	0
1621012517.68 IsDebuggerPresent		failed	0	0
1621012519.695 IsDebuggerPresent		failed	0	0
1621012521.711 IsDebuggerPresent		failed	0	0
1621012523.727 IsDebuggerPresent		failed	0	0
1621012525.742 IsDebuggerPresent		failed	0	0
1621012527.758 IsDebuggerPresent		failed	0	0
1621012529.774 IsDebuggerPresent		failed	0	0
1621012531.789 IsDebuggerPresent		failed	0	0
1621012533.805 IsDebuggerPresent		failed	0	0
1621012535.82 IsDebuggerPresent		failed	0	0
1621012537.836 IsDebuggerPresent		failed	0	0
1621012539.852 IsDebuggerPresent		failed	0	0
1621012541.867 IsDebuggerPresent		failed	0	0
1621012543.883 IsDebuggerPresent		failed	0	0
1621012545.899 IsDebuggerPresent		failed	0	0
1621012547.914 IsDebuggerPresent		failed	0	0
1621012549.93 IsDebuggerPresent		failed	0	0
1621012551.945 IsDebuggerPresent		failed	0	0
1621012553.961 IsDebuggerPresent		failed	0	0
1621012555.977 IsDebuggerPresent		failed	0	0
1621012557.992 IsDebuggerPresent		failed	0	0
1621012560.008 IsDebuggerPresent		failed	0	0
1621012562.024 IsDebuggerPresent		failed	0	0
1621012564.039 IsDebuggerPresent		failed	0	0
1621012566.055 IsDebuggerPresent		failed	0	0
1621012568.07 IsDebuggerPresent		failed	0	0
1621012570.086 IsDebuggerPresent		failed	0	0
1621012572.102 IsDebuggerPresent		failed	0	0
1621012574.117 IsDebuggerPresent		failed	0	0
1621012576.133 IsDebuggerPresent		failed	0	0
1621012578.164 IsDebuggerPresent		failed	0	0
1621012580.18 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621012502.82075 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	bjacgkpg
section	qyofrzsv

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

CURSOR

One or more processes crashed (50 out of 264 个事件)

Time & API	Arguments	Status
1621012501.91475 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 4323364 registers.edi: 0 registers.eax: 1 registers.ebp: 4323380 registers.edx: 19308544 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x32e0b9 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 3334329 exception.address: 0x10be0b9	success
1621012501.91475 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 1983119592 registers.eax: 29841 registers.ebp: 3912917012 registers.edx: 14221312 registers.ebx: 234729 registers.esi: 14742026 registers.ecx: 4294940728 exception.instruction_r: fb 55 89 1c 24 81 ec 04 00 00 00 89 04 24 e9 f8 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x780d3 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 491731 exception.address: 0xe080d3	success
1621012501.91475 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14746356 registers.eax: 29583 registers.ebp: 3912917012 registers.edx: 14221312 registers.ebx: 234729 registers.esi: 14742026 registers.ecx: 2116207270 exception.instruction_r: fb 52 e9 42 00 00 00 81 c5 04 00 00 00 87 2c 24 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x798c4 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 497860 exception.address: 0xe098c4	success
1621012501.93075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14719796 registers.eax: 29583 registers.ebp: 3912917012 registers.edx: 14221312 registers.ebx: 0 registers.esi: 1259 registers.ecx: 2116207270 exception.instruction_r: fb 57 e9 87 ff ff ff 81 f1 88 74 cd 7e 81 c1 aa exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x7963e exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 497214 exception.address: 0xe0963e	success
1621012501.93075 __exception__	stacktrace: registers.esp: 4323328 registers.edi: 14752248 registers.eax: 16337095 registers.ebp: 3912917012 registers.edx: 143360 registers.ebx: 143360 registers.esi: 16336485 registers.ecx: 3294494720 exception.instruction_r: fb 52 e9 9c 06 00 00 89 d5 5a 09 eb 5d 53 ff 0c exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x2049f1 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2116081 exception.address: 0xf949f1	success
1621012501.93075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14752248 registers.eax: 16365580 registers.ebp: 3912917012 registers.edx: 143360 registers.ebx: 143360 registers.esi: 16336485 registers.ecx: 3294494720 exception.instruction_r: fb 68 12 09 90 13 89 1c 24 54 5b 52 ba 23 4f 7d exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x2051ab exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2118059 exception.address: 0xf951ab	success
1621012501.93075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14752248 registers.eax: 16339736 registers.ebp: 3912917012 registers.edx: 89674832 registers.ebx: 143360 registers.esi: 0 registers.ecx: 3294494720 exception.instruction_r: fb e9 0e 00 00 00 81 c3 93 f0 ff 63 c1 eb 03 e9 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x20496e exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2115950 exception.address: 0xf9496e	success
1621012501.93075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14752248 registers.eax: 16364137 registers.ebp: 3912917012 registers.edx: 1549541099 registers.ebx: 0 registers.esi: 0 registers.ecx: 930 exception.instruction_r: fb 68 3c a5 ff 53 e9 b6 04 00 00 8b 2c 24 83 c4 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x20a671 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2139761 exception.address: 0xf9a671	success
1621012501.93075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 5123594 registers.eax: 16404122 registers.ebp: 3912917012 registers.edx: 4294941956 registers.ebx: 16364163 registers.esi: 134889 registers.ecx: 16364163 exception.instruction_r: fb e9 37 01 00 00 5f 01 1c 10 e9 91 f8 ff ff c7 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x20e98b exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2156939 exception.address: 0xf9e98b	success
1621012501.94575 __exception__	stacktrace: registers.esp: 4323324 registers.edi: 5123594 registers.eax: 1447909480 registers.ebp: 3912917012 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 16398025 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 52 89 e2 50 81 ec 04 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x216bd3 exception.instruction: in eax, dx exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2190291 exception.address: 0xfa6bd3	success
1621012501.94575 __exception__	stacktrace: registers.esp: 4323324 registers.edi: 5123594 registers.eax: 1 registers.ebp: 3912917012 registers.edx: 22104 registers.ebx: 0 registers.esi: 16398025 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x214e9d exception.address: 0xfa4e9d exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc000001d exception.offset: 2182813	success
1621012501.94575 __exception__	stacktrace: registers.esp: 4323324 registers.edi: 5123594 registers.eax: 1447909480 registers.ebp: 3912917012 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16398025 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 d3 2c a6 17 01 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x21421a exception.instruction: in eax, dx exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2179610 exception.address: 0xfa421a	success
1621012502.14975 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 0 registers.eax: 4323292 registers.ebp: 3912917012 registers.edx: 1409963033 registers.ebx: 16432675 registers.esi: 33391 registers.ecx: 644054460 exception.instruction_r: cd 01 eb 00 6a 00 53 e8 03 00 00 00 20 5b c3 5b exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x21bcde exception.instruction: int 1 exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000005 exception.offset: 2211038 exception.address: 0xfabcde	success
1621012502.14975 __exception__	stacktrace: registers.esp: 4323328 registers.edi: 5123594 registers.eax: 25667 registers.ebp: 3912917012 registers.edx: 2130566132 registers.ebx: 16433256 registers.esi: 4195909893 registers.ecx: 9687874 exception.instruction_r: fb 52 ba 71 dd 5d 55 56 89 3c 24 e9 18 00 00 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x21c7f2 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2213874 exception.address: 0xfac7f2	success
1621012502.14975 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 5123594 registers.eax: 25667 registers.ebp: 3912917012 registers.edx: 2130566132 registers.ebx: 16458923 registers.esi: 4195909893 registers.ecx: 9687874 exception.instruction_r: fb 50 89 34 24 89 14 24 e9 6d 02 00 00 55 68 0c exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x21c472 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2212978 exception.address: 0xfac472	success
1621012502.14975 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 5123594 registers.eax: 0 registers.ebp: 3912917012 registers.edx: 2130566132 registers.ebx: 16435959 registers.esi: 6379 registers.ecx: 9687874 exception.instruction_r: fb 56 e9 2c 04 00 00 5e 81 c4 04 00 00 00 e9 48 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x21c579 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2213241 exception.address: 0xfac579	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14706450 registers.eax: 29709 registers.ebp: 3912917012 registers.edx: 6 registers.ebx: 9688096 registers.esi: 16525301 registers.ecx: 0 exception.instruction_r: fb 56 be c4 2e 7e 17 c1 ee 01 81 f6 20 0d bf 0b exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x22b5dd exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2274781 exception.address: 0xfbb5dd	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14706450 registers.eax: 0 registers.ebp: 3912917012 registers.edx: 344543317 registers.ebx: 9688096 registers.esi: 16498413 registers.ecx: 0 exception.instruction_r: fb e9 d9 03 00 00 01 d6 e9 b6 05 00 00 bf 35 92 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x22b4c8 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2274504 exception.address: 0xfbb4c8	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14706450 registers.eax: 27297 registers.ebp: 3912917012 registers.edx: 16531902 registers.ebx: 4134 registers.esi: 18311045 registers.ecx: 361444910 exception.instruction_r: fb 31 f6 81 ec 04 00 00 00 89 04 24 56 e9 e5 01 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x22d8e1 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2283745 exception.address: 0xfbd8e1	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323332 registers.edi: 14706450 registers.eax: 27297 registers.ebp: 3912917012 registers.edx: 16531902 registers.ebx: 604292947 registers.esi: 4294943036 registers.ecx: 361444910 exception.instruction_r: fb 52 e9 76 01 00 00 89 df 89 f9 5f 5b 51 87 04 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x22d834 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2283572 exception.address: 0xfbd834	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323324 registers.edi: 14706450 registers.eax: 16531891 registers.ebp: 3912917012 registers.edx: 1755777537 registers.ebx: 6220117 registers.esi: 0 registers.ecx: 1755777537 exception.instruction_r: fb e9 00 00 00 00 52 68 a8 43 06 66 89 0c 24 89 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x23416b exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2310507 exception.address: 0xfc416b	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323320 registers.edi: 14706450 registers.eax: 16546771 registers.ebp: 3912917012 registers.edx: 2130566132 registers.ebx: 6220117 registers.esi: 0 registers.ecx: 3294494720 exception.instruction_r: fb 51 b9 8e 41 7e 67 51 53 59 5b 55 e9 f8 fe ff exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x238622 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2328098 exception.address: 0xfc8622	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323324 registers.edi: 880889941 registers.eax: 16549745 registers.ebp: 3912917012 registers.edx: 2130566132 registers.ebx: 6220117 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb 52 c7 04 24 13 e2 43 79 89 0c 24 e9 c9 01 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x237f00 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2326272 exception.address: 0xfc7f00	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 16631254 registers.eax: 16669793 registers.ebp: 3912917012 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 16664729 registers.ecx: 3294494720 exception.instruction_r: fb 51 54 59 e9 07 fb ff ff 89 e6 81 c6 04 00 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x256436 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2450486 exception.address: 0xfe6436	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 16631254 registers.eax: 16672721 registers.ebp: 3912917012 registers.edx: 2130566132 registers.ebx: 1426090592 registers.esi: 0 registers.ecx: 3294494720 exception.instruction_r: fb 56 89 14 24 c7 04 24 29 7c 71 76 89 0c 24 e9 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x25679e exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2451358 exception.address: 0xfe679e	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 16673482 registers.eax: 25917 registers.ebp: 3912917012 registers.edx: 1408801746 registers.ebx: 16652017 registers.esi: 16699925 registers.ecx: 0 exception.instruction_r: fb 53 e9 dd fe ff ff 5b 57 89 14 24 ba 2c ca 3f exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x257714 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2455316 exception.address: 0xfe7714	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 4294944040 registers.eax: 25917 registers.ebp: 3912917012 registers.edx: 1408801746 registers.ebx: 16652017 registers.esi: 16699925 registers.ecx: 3908439400 exception.instruction_r: fb 68 8c 46 99 36 89 2c 24 bd b5 d0 df 7b 87 f5 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x2575d7 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2454999 exception.address: 0xfe75d7	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 4294944040 registers.eax: 27163 registers.ebp: 3912917012 registers.edx: 221308199 registers.ebx: 16677088 registers.esi: 16699925 registers.ecx: 3908439400 exception.instruction_r: fb 51 54 ff 34 24 59 83 c4 04 81 c1 04 00 00 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x257f65 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2457445 exception.address: 0xfe7f65	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 4294944040 registers.eax: 27163 registers.ebp: 3912917012 registers.edx: 221308199 registers.ebx: 16704251 registers.esi: 16699925 registers.ecx: 3908439400 exception.instruction_r: fb 57 89 04 24 55 bd 20 76 f9 5f 81 c5 61 e9 a1 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x258011 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2457617 exception.address: 0xfe8011	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 4294944040 registers.eax: 27163 registers.ebp: 3912917012 registers.edx: 221308199 registers.ebx: 16680399 registers.esi: 0 registers.ecx: 1436387680 exception.instruction_r: fb 55 e9 9d 00 00 00 81 e9 00 88 7b 77 81 e9 3a exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x258080 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2457728 exception.address: 0xfe8080	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 4294944040 registers.eax: 26991 registers.ebp: 3912917012 registers.edx: 1026613126 registers.ebx: 16680399 registers.esi: 0 registers.ecx: 16709391 exception.instruction_r: fb 56 89 e6 81 c6 04 00 00 00 83 ee 04 33 34 24 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x2596d1 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2463441 exception.address: 0xfe96d1	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 322689 registers.eax: 26991 registers.ebp: 3912917012 registers.edx: 0 registers.ebx: 16680399 registers.esi: 0 registers.ecx: 16685035 exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 83 ec 04 89 0c 24 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x259252 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2462290 exception.address: 0xfe9252	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 322689 registers.eax: 26597 registers.ebp: 3912917012 registers.edx: 16700148 registers.ebx: 14716023 registers.esi: 0 registers.ecx: 2002452622 exception.instruction_r: fb 55 bd f3 99 5f 7b 50 b8 de 1a 7f 1f 29 c2 58 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x25db03 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2480899 exception.address: 0xfedb03	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 322689 registers.eax: 26597 registers.ebp: 3912917012 registers.edx: 16726745 registers.ebx: 604292944 registers.esi: 0 registers.ecx: 4294943616 exception.instruction_r: fb 56 89 04 24 c7 04 24 83 09 d7 5d 52 89 0c 24 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x25d5b6 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2479542 exception.address: 0xfed5b6	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 3913190549 registers.eax: 16716855 registers.ebp: 3912917012 registers.edx: 16776953 registers.ebx: 3925802141 registers.esi: 322689 registers.ecx: 33434337 exception.instruction_r: fb e9 69 f7 ff ff 81 ed a1 12 bd 75 81 f5 17 c5 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x261e38 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2498104 exception.address: 0xff1e38	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 3913190549 registers.eax: 16742700 registers.ebp: 3912917012 registers.edx: 16776953 registers.ebx: 3925802141 registers.esi: 322689 registers.ecx: 33434337 exception.instruction_r: fb 83 ec 04 89 14 24 89 3c 24 c7 04 24 d3 c5 ff exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x2616bc exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2496188 exception.address: 0xff16bc	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 3913190549 registers.eax: 16719844 registers.ebp: 3912917012 registers.edx: 16776953 registers.ebx: 3925802141 registers.esi: 0 registers.ecx: 81129 exception.instruction_r: fb 55 83 ec 04 89 3c 24 bf e9 8d ee 0f f7 df 56 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x261cc6 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2497734 exception.address: 0xff1cc6	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 3913190549 registers.eax: 25667 registers.ebp: 3912917012 registers.edx: 16722821 registers.ebx: 1840130113 registers.esi: 0 registers.ecx: 81129 exception.instruction_r: fb 56 be 24 3c fb 75 e9 7d fe ff ff 89 34 24 e9 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x26336d exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2503533 exception.address: 0xff336d	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 3913190549 registers.eax: 25667 registers.ebp: 3912917012 registers.edx: 16748488 registers.ebx: 3939837675 registers.esi: 0 registers.ecx: 4294944608 exception.instruction_r: fb 68 00 38 72 12 89 04 24 81 ec 04 00 00 00 89 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x263535 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2503989 exception.address: 0xff3535	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 1883626418 registers.eax: 28317 registers.ebp: 3912917012 registers.edx: 16767888 registers.ebx: 16727178 registers.esi: 2807044928 registers.ecx: 0 exception.instruction_r: fb 50 e9 12 01 00 00 81 c3 17 06 ce d8 29 da 5b exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x2644ce exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2507982 exception.address: 0xff44ce	success
1621012502.32075 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 612979029 registers.eax: 28317 registers.ebp: 3912917012 registers.edx: 16767888 registers.ebx: 16755495 registers.esi: 4294941516 registers.ecx: 0 exception.instruction_r: fb 57 bf 20 28 fb 6a 89 fb 5f e9 5b fc ff ff 01 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x26436c exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2507628 exception.address: 0xff436c	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 16768570 registers.eax: 29953 registers.ebp: 3912917012 registers.edx: 16548718 registers.ebx: 16751681 registers.esi: 4430672 registers.ecx: 3294498089 exception.instruction_r: fb 53 bb 55 f3 47 6b 81 e3 06 07 ff 6c e9 dd 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x26e01c exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2547740 exception.address: 0xffe01c	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 16798523 registers.eax: 29953 registers.ebp: 3912917012 registers.edx: 16548718 registers.ebx: 16751681 registers.esi: 4430672 registers.ecx: 3294498089 exception.instruction_r: fb 53 e9 8c fd ff ff f7 14 24 e9 68 05 00 00 5c exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x26e16e exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2548078 exception.address: 0xffe16e	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 16771667 registers.eax: 29953 registers.ebp: 3912917012 registers.edx: 16548718 registers.ebx: 2179303765 registers.esi: 4430672 registers.ecx: 0 exception.instruction_r: fb 55 52 ba 0c b9 79 6f f7 d2 f7 d2 81 ea 01 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x26deb9 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2547385 exception.address: 0xffdeb9	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 16771667 registers.eax: 26053 registers.ebp: 3912917012 registers.edx: 4294944368 registers.ebx: 606898519 registers.esi: 16809631 registers.ecx: 115666406 exception.instruction_r: fb 53 c7 04 24 f3 1b 8e 70 89 14 24 e9 fa 03 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x271bf1 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2563057 exception.address: 0x1001bf1	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 16847784 registers.eax: 26553 registers.ebp: 3912917012 registers.edx: 16868592 registers.ebx: 2002452454 registers.esi: 16787925 registers.ecx: 3294494720 exception.instruction_r: fb 57 bf de fc 7c 7e e9 1b 03 00 00 01 fe e9 19 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x286c2a exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2649130 exception.address: 0x1016c2a	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 16847784 registers.eax: 26553 registers.ebp: 3912917012 registers.edx: 16895145 registers.ebx: 2002452454 registers.esi: 16787925 registers.ecx: 3294494720 exception.instruction_r: fb e9 d5 fc ff ff 5f 29 c2 8b 04 24 83 c4 04 01 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x286ca9 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2649257 exception.address: 0x1016ca9	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 16847784 registers.eax: 638761554 registers.ebp: 3912917012 registers.edx: 16895145 registers.ebx: 4294944176 registers.esi: 16787925 registers.ecx: 3294494720 exception.instruction_r: fb 55 c7 04 24 20 c4 ff 57 81 0c 24 b3 c6 fe 7e exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x28679a exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2647962 exception.address: 0x101679a	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323288 registers.edi: 16847784 registers.eax: 16872495 registers.ebp: 3912917012 registers.edx: 243948586 registers.ebx: 428899765 registers.esi: 16787925 registers.ecx: 114341376 exception.instruction_r: fb 2d 34 4f 2e 64 2d 5f 97 2f 7f 03 04 24 51 89 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x287e03 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2653699 exception.address: 0x1017e03	success
1621012502.35275 __exception__	stacktrace: registers.esp: 4323292 registers.edi: 16847784 registers.eax: 16904110 registers.ebp: 3912917012 registers.edx: 243948586 registers.ebx: 428899765 registers.esi: 16787925 registers.ecx: 114341376 exception.instruction_r: fb 50 e9 d5 fc ff ff 57 bf cf 7d f7 77 47 e9 0a exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x287eb3 exception.instruction: sti exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2653875 exception.address: 0x1017eb3	success

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 个事件)

Time & API	Arguments	Status
1621012502.38375 NtProtectVirtualMemory	process_identifier: 580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1621012502.38375 NtProtectVirtualMemory	process_identifier: 580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1621012502.43075 NtProtectVirtualMemory	process_identifier: 580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00d91000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00490000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00910000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00920000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00970000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a10000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a20000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a70000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ae0000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d30000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d80000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x026b0000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02800000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02810000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02820000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02830000	success
1621012502.43075 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success
1621012502.44575 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success
1621012502.44575 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02840000	success
1621012502.44575 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02850000	success
1621012502.44575 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02a20000	success
1621012502.44575 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success
1621012502.44575 NtAllocateVirtualMemory	process_identifier: 580 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success
1621012145.277771 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004070000	success
1621012507.539 NtProtectVirtualMemory	process_identifier: 3232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1621012507.539 NtProtectVirtualMemory	process_identifier: 3232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1621012507.617 NtProtectVirtualMemory	process_identifier: 3232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00fc1000	success
1621012507.649 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00410000	success
1621012507.649 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00420000	success
1621012507.649 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f0000	success
1621012507.649 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00540000	success
1621012507.649 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00550000	success
1621012507.649 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e0000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a10000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a20000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a30000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a40000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ad0000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ba0000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bb0000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bc0000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00550000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00550000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bd0000	success
1621012507.664 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00de0000	success
1621012507.68 NtAllocateVirtualMemory	process_identifier: 3232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00df0000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 个事件)

description

SmartClock.exe tried to sleep 645 seconds, actually delayed analysis time by 645 seconds

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.965032605010072

section

{'size_of_data': '0x0000fc00', 'virtual_address': '0x00001000', 'entropy': 7.965032605010072, 'name': ' \\x00 ', 'virtual_size': '0x00023000'}

description

A section with a high entropy has been found

entropy

7.954444437882635

section

{'size_of_data': '0x001ab600', 'virtual_address': '0x0032e000', 'entropy': 7.954444437882635, 'name': 'bjacgkpg', 'virtual_size': '0x001ac000'}

description

A section with a high entropy has been found

entropy

0.8456583969465649

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

system

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 241 个事件)

Time & API	Arguments	Status
1621012502.35275 FindWindowA	class_name: OLLYDBG window_name:	failed
1621012502.35275 FindWindowA	class_name: GBDYLLO window_name:	failed
1621012502.35275 FindWindowA	class_name: pediy06 window_name:	failed
1621012502.35275 FindWindowA	class_name: FilemonClass window_name:	failed
1621012502.35275 FindWindowA	class_name: FilemonClass window_name:	failed
1621012502.35275 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1621012502.35275 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1621012502.35275 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1621012502.36775 FindWindowA	class_name: RegmonClass window_name:	failed
1621012502.36775 FindWindowA	class_name: RegmonClass window_name:	failed
1621012502.36775 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1621012502.36775 FindWindowA	class_name: 18467-41 window_name:	failed
1621012502.43075 FindWindowA	class_name: FilemonClass window_name:	failed
1621012502.43075 FindWindowA	class_name: FilemonClass window_name:	failed
1621012502.43075 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1621012502.43075 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1621012502.43075 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1621012504.38375 FindWindowA	class_name: OLLYDBG window_name:	failed
1621012504.38375 FindWindowA	class_name: GBDYLLO window_name:	failed
1621012504.38375 FindWindowA	class_name: pediy06 window_name:	failed
1621012506.41475 FindWindowA	class_name: OLLYDBG window_name:	failed
1621012506.41475 FindWindowA	class_name: GBDYLLO window_name:	failed
1621012506.41475 FindWindowA	class_name: pediy06 window_name:	failed
1621012506.44575 FindWindowA	class_name: Regmonclass window_name:	failed
1621012506.44575 FindWindowA	class_name: Regmonclass window_name:	failed
1621012506.75875 FindWindowA	class_name: 18467-41 window_name:	failed
1621012507.492 FindWindowA	class_name: OLLYDBG window_name:	failed
1621012507.492 FindWindowA	class_name: GBDYLLO window_name:	failed
1621012507.492 FindWindowA	class_name: pediy06 window_name:	failed
1621012507.508 FindWindowA	class_name: FilemonClass window_name:	failed
1621012507.508 FindWindowA	class_name: FilemonClass window_name:	failed
1621012507.508 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1621012507.508 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1621012507.508 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1621012507.524 FindWindowA	class_name: RegmonClass window_name:	failed
1621012507.524 FindWindowA	class_name: RegmonClass window_name:	failed
1621012507.524 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1621012507.524 FindWindowA	class_name: 18467-41 window_name:	failed
1621012507.602 FindWindowA	class_name: FilemonClass window_name:	failed
1621012507.602 FindWindowA	class_name: FilemonClass window_name:	failed
1621012507.602 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1621012507.602 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1621012507.602 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1621012509.524 FindWindowA	class_name: OLLYDBG window_name:	failed
1621012509.524 FindWindowA	class_name: GBDYLLO window_name:	failed
1621012509.524 FindWindowA	class_name: pediy06 window_name:	failed
1621012511.539 FindWindowA	class_name: OLLYDBG window_name:	failed
1621012511.539 FindWindowA	class_name: GBDYLLO window_name:	failed
1621012511.539 FindWindowA	class_name: pediy06 window_name:	failed
1621012511.774 FindWindowA	class_name: Regmonclass window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621012501.94575 __exception__	stacktrace: registers.esp: 4323324 registers.edi: 5123594 registers.eax: 1447909480 registers.ebp: 3912917012 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 16398025 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 52 89 e2 50 81 ec 04 00 exception.symbol: a0e5fe139aef001e51163aca10d59cd1+0x216bd3 exception.instruction: in eax, dx exception.module: a0e5fe139aef001e51163aca10d59cd1.exe exception.exception_code: 0xc0000096 exception.offset: 2190291 exception.address: 0xfa6bd3	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-15 02:59:56

Imports

Library kernel32.dll:

• 0x475033 lstrcpy

Library comctl32.dll:

• 0x47503b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.