SmartHawk

11.6

0-day

54 个模型检测该样本为恶意！

重新分析

下载样本

d2edc352a2a157c1ac51e314039ca894958635959d905900755992eed6a13256

bb1b92cadb37426ac0d5e8e62cff705a.exe

分析耗时

97s

最近分析

文件大小

555.0KB

静态报毒动态报毒 100% AGEN AI SCORE=82 AIDETECTVM ARTEMIS ASPROTECT ATTRIBUTE BTQCO0 CLASSIC CONFIDENCE DELF DOWNLOADER33 ELDT FAREIT GENERICKD HGRQEA HIGH CONFIDENCE HIGHCONFIDENCE IGENT IOWAAIP8FDOI KRYPTIK L6EI LOKIBOT MALWARE1 MALWARE@#3BBZOAWPBU7BS NANOCORE OCCAMY PEZJ R + MAL R002C0DH420 RACEALER SCORE SUSGEN TSCOPE UNSAFE VCES ZELPHIF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!BB1B92CADB37	20201229	6.0.6.653
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0
Alibaba	Trojan:Win32/Lokibot.9decbac8	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20201229	21.1.5827.0
Kingsoft		20201229	2017.9.26.565
Tencent	Win32.Trojan.Kryptik.Pezj	20201229	1.0.0.1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section
section	.adata

The executable uses a known packer (1 个事件)

packer

ASProtect v1.23 RC1

One or more processes crashed (50 out of 334 个事件)

Time & API	Arguments	Status
1619861620.577375 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 0 registers.ebp: 1638240 registers.edx: 35029448 registers.ebx: 34996564 registers.esi: 34471936 registers.ecx: 0 exception.instruction_r: 89 1f dc 08 a5 0f 20 0c 50 c1 67 64 8f 06 00 00 exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x21602df	success
1619861620.577375 __exception__	stacktrace: 0x215ca80 registers.esp: 1637892 registers.edi: 34799616 registers.eax: 0 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 34996564 registers.esi: 34471936 registers.ecx: 16777216 exception.instruction_r: c7 00 27 3d 42 85 95 a3 3f f2 eb 01 9a 67 64 8f exception.instruction: mov dword ptr [eax], 0x85423d27 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215f80d	success
1619861620.609375 __exception__	stacktrace: 0x215ca80 registers.esp: 1637892 registers.edi: 34799616 registers.eax: 0 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 36403176 registers.esi: 36403564 registers.ecx: 0 exception.instruction_r: c6 01 d6 41 3d 7c b6 f8 eb fa e1 8a 67 64 8f 06 exception.instruction: mov byte ptr [ecx], -0x2a exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215fa69	success
1619861620.609375 __exception__	stacktrace: 0x215ca80 registers.esp: 1637892 registers.edi: 34799616 registers.eax: 0 registers.ebp: 1638188 registers.edx: 1637904 registers.ebx: 551329 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 6f 98 0f a3 e1 5c 67 64 8f 06 00 00 83 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215fbe7	success
1619861620.609375 __exception__	stacktrace: 0x215fc1e 0x215ca80 registers.esp: 1637856 registers.edi: 35979264 registers.eax: 35005632 registers.ebp: 1637892 registers.edx: 0 registers.ebx: 212 registers.esi: 4294967295 registers.ecx: 0 exception.instruction_r: c6 01 ee 67 ee 13 fa 82 48 cf 43 67 64 8f 06 00 exception.instruction: mov byte ptr [ecx], -0x12 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215d3af	success
1619861620.609375 __exception__	stacktrace: 0x215fc1e 0x215ca80 registers.esp: 1637856 registers.edi: 0 registers.eax: 42926080 registers.ebp: 1637892 registers.edx: 2130566132 registers.ebx: 42926080 registers.esi: 4294967295 registers.ecx: 584800 exception.instruction_r: 89 1f d9 67 64 8f 06 00 00 83 c4 04 f2 eb 01 f2 exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215d5a3	success
1619861620.655375 __exception__	stacktrace: 0x215fc1e 0x215ca80 registers.esp: 1637856 registers.edi: 35979264 registers.eax: 0 registers.ebp: 1637892 registers.edx: 1637904 registers.ebx: 34859752 registers.esi: 42926080 registers.ecx: 0 exception.instruction_r: c7 00 e7 4b 82 30 5a e0 9e be 18 95 cf 5b 06 67 exception.instruction: mov dword ptr [eax], 0x30824be7 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215d76b	success
1619861620.655375 __exception__	stacktrace: 0x215fc1e 0x215ca80 registers.esp: 1637856 registers.edi: 35979264 registers.eax: 35005632 registers.ebp: 1637892 registers.edx: 1637904 registers.ebx: 34859752 registers.esi: 3423313731 registers.ecx: 0 exception.instruction_r: c6 01 d6 6e 5b 42 80 93 40 37 f1 48 67 64 8f 06 exception.instruction: mov byte ptr [ecx], -0x2a exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215d81b	success
1619861620.655375 __exception__	stacktrace: 0x215ca80 registers.esp: 1637892 registers.edi: 34799616 registers.eax: 3423313731 registers.ebp: 1638188 registers.edx: 1637904 registers.ebx: 551329 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 8e 67 64 8f 06 00 00 83 c4 04 81 de 1e exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215fd41	success
1619861620.655375 __exception__	stacktrace: 0x215ca80 registers.esp: 1637892 registers.edi: 34799616 registers.eax: 0 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 551329 registers.esi: 3423313731 registers.ecx: 0 exception.instruction_r: 01 72 00 c7 73 d0 97 ae 15 67 64 8f 06 00 00 eb exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215ff0b	success
1619861620.655375 __exception__	stacktrace: 0x215ca80 registers.esp: 1637892 registers.edi: 34799616 registers.eax: 661657023 registers.ebp: 1638188 registers.edx: 35029500 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 ee 62 cb 95 67 25 a0 ec f3 eb 02 cd 20 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x21600d1	success
1619861620.655375 __exception__	stacktrace: registers.esp: 1638164 registers.edi: 34799616 registers.eax: 670045631 registers.ebp: 1638240 registers.edx: 35029500 registers.ebx: 3427583282 registers.esi: 0 registers.ecx: 5011414 exception.instruction_r: 01 56 00 6f 98 0f a3 e1 5c 67 64 8f 06 00 00 83 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215cb99	success
1619861620.655375 __exception__	stacktrace: registers.esp: 1638164 registers.edi: 213746 registers.eax: 0 registers.ebp: 34859856 registers.edx: 1638216 registers.ebx: 36307764 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 8e 67 64 8f 06 00 00 83 c4 04 81 de 1e exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215cd66	success
1619861620.655375 __exception__	stacktrace: 0x215db36 0x215f030 registers.esp: 1638120 registers.edi: 36403509 registers.eax: 0 registers.ebp: 1638148 registers.edx: 1638216 registers.ebx: 34859752 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 6f 98 0f a3 e1 5c 67 64 8f 06 00 00 83 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215cf01	success
1619861620.655375 __exception__	stacktrace: 0x215f030 registers.esp: 1638144 registers.edi: 36403509 registers.eax: 0 registers.ebp: 1638196 registers.edx: 0 registers.ebx: 5011454 registers.esi: 36308060 registers.ecx: 0 exception.instruction_r: 01 72 00 13 a3 06 59 8f 69 04 47 74 18 eb 01 69 exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215dcf1	success
1619861620.655375 __exception__	stacktrace: registers.esp: 1638156 registers.edi: 34799616 registers.eax: 4194304 registers.ebp: 1638240 registers.edx: 0 registers.ebx: 516096 registers.esi: 35029436 registers.ecx: 0 exception.instruction_r: c6 01 2e 06 ba a4 67 64 8f 06 00 00 83 c4 04 83 exception.instruction: mov byte ptr [ecx], 0x2e exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215f165	success
1619861620.655375 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 34799616 registers.eax: 35029500 registers.ebp: 1638240 registers.edx: 1638216 registers.ebx: 0 registers.esi: 36308060 registers.ecx: 0 exception.instruction_r: 89 3b c0 98 67 64 8f 06 00 00 83 c4 04 c1 cb d7 exception.instruction: mov dword ptr [ebx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215e2b7	success
1619861620.655375 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 34799616 registers.eax: 0 registers.ebp: 1638240 registers.edx: 1 registers.ebx: 0 registers.esi: 36308060 registers.ecx: 3561945104 exception.instruction_r: 89 3b c0 98 67 64 8f 06 00 00 83 c4 04 c1 cb d7 exception.instruction: mov dword ptr [ebx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215e40e	success
1619861620.687375 __exception__	stacktrace: 0x215e51d registers.esp: 1638120 registers.edi: 36376078 registers.eax: 0 registers.ebp: 1638144 registers.edx: 0 registers.ebx: 34859752 registers.esi: 36308060 registers.ecx: 0 exception.instruction_r: 01 72 00 d7 19 c6 25 39 e2 cd 74 0c 77 eb 26 82 exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215e035	success
1619861620.687375 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 36376078 registers.eax: 1637888 registers.ebp: 1638240 registers.edx: 0 registers.ebx: 3906863858 registers.esi: 0 registers.ecx: 1638144 exception.instruction_r: 01 56 00 1a cb 1e 97 d4 83 de 53 10 67 64 8f 06 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215e6ad	success
1619861620.687375 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 0 registers.eax: 1 registers.ebp: 36388689 registers.edx: 0 registers.ebx: 36388265 registers.esi: 36308060 registers.ecx: 3923805239 exception.instruction_r: 89 1f 2e a1 f9 ae 13 9a 72 d1 a6 67 64 8f 06 00 exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215e91c	success
1619861620.687375 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 6041 registers.eax: 1 registers.ebp: 36388689 registers.edx: 2 registers.ebx: 36388265 registers.esi: 0 registers.ecx: 3923805239 exception.instruction_r: 01 56 00 59 d3 1e 20 95 94 59 c8 5b d5 6e 29 95 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215ec0b	success
1619861620.687375 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 6041 registers.eax: 35005620 registers.ebp: 36388689 registers.edx: 4 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 f0 93 bc 67 64 8f 06 00 00 83 c4 04 8d exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215ed98	success
1619861620.687375 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 6041 registers.eax: 35005620 registers.ebp: 36388689 registers.edx: 4 registers.ebx: 0 registers.esi: 36308060 registers.ecx: 0 exception.instruction_r: 89 3b c0 98 67 64 8f 06 00 00 83 c4 04 c1 cb d7 exception.instruction: mov dword ptr [ebx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215ef5a	success
1619861620.687375 __exception__	stacktrace: 0x213dcdc registers.esp: 1638168 registers.edi: 34799616 registers.eax: 5131169 registers.ebp: 1638208 registers.edx: 34910528 registers.ebx: 0 registers.esi: 34471936 registers.ecx: 0 exception.instruction_r: 89 3b c1 36 eb 01 9a 67 64 8f 06 00 00 f2 eb 01 exception.instruction: mov dword ptr [ebx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x21604b4	success
1619861620.702375 __exception__	stacktrace: 0x213dcdc registers.esp: 1638168 registers.edi: 34799616 registers.eax: 35029520 registers.ebp: 1638208 registers.edx: 0 registers.ebx: 36418548 registers.esi: 0 registers.ecx: 2 exception.instruction_r: 01 56 00 ee b7 d8 85 5f e3 51 f3 eb 02 cd 20 67 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x21605eb	success
1619861620.702375 __exception__	stacktrace: 0x213dcdc registers.esp: 1638168 registers.edi: 34799616 registers.eax: 0 registers.ebp: 1638208 registers.edx: 4 registers.ebx: 36418548 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 f0 93 bc 67 64 8f 06 00 00 83 c4 04 8d exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2160788	success
1619861620.702375 __exception__	stacktrace: 0x213dcdc registers.esp: 1638168 registers.edi: 34799616 registers.eax: 661657023 registers.ebp: 1638208 registers.edx: 35029500 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 89 3b 84 65 a7 c4 16 67 64 8f 06 00 00 83 c4 04 exception.instruction: mov dword ptr [ebx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2160923	success
1619861620.749375 __exception__	stacktrace: 0x213dcdc registers.esp: 1638168 registers.edi: 34799616 registers.eax: 0 registers.ebp: 1638208 registers.edx: 40 registers.ebx: 36418548 registers.esi: 36418922 registers.ecx: 0 exception.instruction_r: c7 00 9f 5d 2e d9 6a 26 eb 02 cd 20 67 64 8f 06 exception.instruction: mov dword ptr [eax], 0xd92e5d9f exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2160acb	success
1619861620.749375 __exception__	stacktrace: 0x213dcdc registers.esp: 1638168 registers.edi: 34799616 registers.eax: 1636883 registers.ebp: 1638208 registers.edx: 0 registers.ebx: 36418548 registers.esi: 36418922 registers.ecx: 1 exception.instruction_r: 01 72 00 c4 13 f7 69 f4 e4 39 67 64 8f 06 00 00 exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2160bf5	success
1619861620.749375 __exception__	stacktrace: registers.esp: 1638128 registers.edi: 34799616 registers.eax: 5131169 registers.ebp: 1638240 registers.edx: 34910528 registers.ebx: 36418640 registers.esi: 0 registers.ecx: 36414532 exception.instruction_r: 01 56 00 1a cb 1e 97 d4 83 de 53 10 67 64 8f 06 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215da0a	success
1619861620.749375 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 34799616 registers.eax: 3898005695 registers.ebp: 1638240 registers.edx: 1638216 registers.ebx: 3898005695 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 ee b7 d8 85 5f e3 51 f3 eb 02 cd 20 67 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x215f569	success
1619861621.015375 __exception__	stacktrace: bb1b92cadb37426ac0d5e8e62cff705a+0x6c6d9 @ 0x46c6d9 bb1b92cadb37426ac0d5e8e62cff705a+0x3d93 @ 0x403d93 0x18ff60 0x2130000 registers.esp: 1637824 registers.edi: 4638476 registers.eax: 0 registers.ebp: 1638116 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 82 registers.ecx: 369950720 exception.instruction_r: f7 f0 90 90 33 c0 5a 59 59 64 89 10 eb 13 e9 98 exception.symbol: bb1b92cadb37426ac0d5e8e62cff705a+0x6c4b1 exception.instruction: div eax exception.module: bb1b92cadb37426ac0d5e8e62cff705a.exe exception.exception_code: 0xc0000094 exception.offset: 443569 exception.address: 0x46c4b1	success
1619884391.044874 __exception__	stacktrace: registers.esp: 1638204 registers.edi: 0 registers.eax: 0 registers.ebp: 1638240 registers.edx: 5734856 registers.ebx: 5701972 registers.esi: 5177344 registers.ecx: 0 exception.instruction_r: 89 1f dc 08 a5 0f 20 0c 50 c1 67 64 8f 06 00 00 exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5702df	success
1619884391.044874 __exception__	stacktrace: 0x56ca80 registers.esp: 1637892 registers.edi: 5505024 registers.eax: 0 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 5701972 registers.esi: 5177344 registers.ecx: 16777216 exception.instruction_r: c7 00 27 3d 42 85 95 a3 3f f2 eb 01 9a 67 64 8f exception.instruction: mov dword ptr [eax], 0x85423d27 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56f80d	success
1619884391.059874 __exception__	stacktrace: 0x56ca80 registers.esp: 1637892 registers.edi: 5505024 registers.eax: 0 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 36206568 registers.esi: 36206956 registers.ecx: 0 exception.instruction_r: c6 01 d6 41 3d 7c b6 f8 eb fa e1 8a 67 64 8f 06 exception.instruction: mov byte ptr [ecx], -0x2a exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56fa69	success
1619884391.059874 __exception__	stacktrace: 0x56ca80 registers.esp: 1637892 registers.edi: 5505024 registers.eax: 0 registers.ebp: 1638188 registers.edx: 1637904 registers.ebx: 551329 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 6f 98 0f a3 e1 5c 67 64 8f 06 00 00 83 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56fbe7	success
1619884391.059874 __exception__	stacktrace: 0x56fc1e 0x56ca80 registers.esp: 1637856 registers.edi: 38338560 registers.eax: 5711040 registers.ebp: 1637892 registers.edx: 0 registers.ebx: 212 registers.esi: 4294967295 registers.ecx: 0 exception.instruction_r: c6 01 ee 67 ee 13 fa 82 48 cf 43 67 64 8f 06 00 exception.instruction: mov byte ptr [ecx], -0x12 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56d3af	success
1619884391.059874 __exception__	stacktrace: 0x56fc1e 0x56ca80 registers.esp: 1637856 registers.edi: 0 registers.eax: 42795008 registers.ebp: 1637892 registers.edx: 2130566132 registers.ebx: 42795008 registers.esi: 4294967295 registers.ecx: 584800 exception.instruction_r: 89 1f d9 67 64 8f 06 00 00 83 c4 04 f2 eb 01 f2 exception.instruction: mov dword ptr [edi], ebx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56d5a3	success
1619884391.090874 __exception__	stacktrace: 0x56fc1e 0x56ca80 registers.esp: 1637856 registers.edi: 38338560 registers.eax: 0 registers.ebp: 1637892 registers.edx: 1637904 registers.ebx: 5565160 registers.esi: 42795008 registers.ecx: 0 exception.instruction_r: c7 00 e7 4b 82 30 5a e0 9e be 18 95 cf 5b 06 67 exception.instruction: mov dword ptr [eax], 0x30824be7 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56d76b	success
1619884391.090874 __exception__	stacktrace: 0x56fc1e 0x56ca80 registers.esp: 1637856 registers.edi: 38338560 registers.eax: 5711040 registers.ebp: 1637892 registers.edx: 1637904 registers.ebx: 5565160 registers.esi: 3423313731 registers.ecx: 0 exception.instruction_r: c6 01 d6 6e 5b 42 80 93 40 37 f1 48 67 64 8f 06 exception.instruction: mov byte ptr [ecx], -0x2a exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56d81b	success
1619884391.090874 __exception__	stacktrace: 0x56ca80 registers.esp: 1637892 registers.edi: 5505024 registers.eax: 3423313731 registers.ebp: 1638188 registers.edx: 1637904 registers.ebx: 551329 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 8e 67 64 8f 06 00 00 83 c4 04 81 de 1e exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56fd41	success
1619884391.090874 __exception__	stacktrace: 0x56ca80 registers.esp: 1637892 registers.edi: 5505024 registers.eax: 0 registers.ebp: 1638188 registers.edx: 0 registers.ebx: 551329 registers.esi: 3423313731 registers.ecx: 0 exception.instruction_r: 01 72 00 c7 73 d0 97 ae 15 67 64 8f 06 00 00 eb exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56ff0b	success
1619884391.090874 __exception__	stacktrace: 0x56ca80 registers.esp: 1637892 registers.edi: 5505024 registers.eax: 661657023 registers.ebp: 1638188 registers.edx: 5734908 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 ee 62 cb 95 67 25 a0 ec f3 eb 02 cd 20 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5700d1	success
1619884391.090874 __exception__	stacktrace: registers.esp: 1638164 registers.edi: 5505024 registers.eax: 670045631 registers.ebp: 1638240 registers.edx: 5734908 registers.ebx: 3427583282 registers.esi: 0 registers.ecx: 5011414 exception.instruction_r: 01 56 00 6f 98 0f a3 e1 5c 67 64 8f 06 00 00 83 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56cb99	success
1619884391.090874 __exception__	stacktrace: registers.esp: 1638164 registers.edi: 213746 registers.eax: 0 registers.ebp: 5565264 registers.edx: 1638216 registers.ebx: 36111156 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 8e 67 64 8f 06 00 00 83 c4 04 81 de 1e exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56cd66	success
1619884391.090874 __exception__	stacktrace: 0x56db36 0x56f030 registers.esp: 1638120 registers.edi: 36206901 registers.eax: 0 registers.ebp: 1638148 registers.edx: 1638216 registers.ebx: 5565160 registers.esi: 0 registers.ecx: 0 exception.instruction_r: 01 56 00 6f 98 0f a3 e1 5c 67 64 8f 06 00 00 83 exception.instruction: add dword ptr [esi], edx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56cf01	success
1619884391.090874 __exception__	stacktrace: 0x56f030 registers.esp: 1638144 registers.edi: 36206901 registers.eax: 0 registers.ebp: 1638196 registers.edx: 0 registers.ebx: 5011454 registers.esi: 36111452 registers.ecx: 0 exception.instruction_r: 01 72 00 13 a3 06 59 8f 69 04 47 74 18 eb 01 69 exception.instruction: add dword ptr [edx], esi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56dcf1	success
1619884391.106874 __exception__	stacktrace: registers.esp: 1638156 registers.edi: 5505024 registers.eax: 4194304 registers.ebp: 1638240 registers.edx: 0 registers.ebx: 516096 registers.esi: 5734844 registers.ecx: 0 exception.instruction_r: c6 01 2e 06 ba a4 67 64 8f 06 00 00 83 c4 04 83 exception.instruction: mov byte ptr [ecx], 0x2e exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56f165	success
1619884391.106874 __exception__	stacktrace: registers.esp: 1638140 registers.edi: 5505024 registers.eax: 5734908 registers.ebp: 1638240 registers.edx: 1638216 registers.ebx: 0 registers.esi: 36111452 registers.ecx: 0 exception.instruction_r: 89 3b c0 98 67 64 8f 06 00 00 83 c4 04 c1 cb d7 exception.instruction: mov dword ptr [ebx], edi exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x56e2b7	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 378 个事件)

Time & API	Arguments	Status
1619861620.499375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020e0000	success
1619861620.499375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02130000	success
1619861620.577375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x020f0000	success
1619861620.577375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02100000	success
1619861620.577375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02110000	success
1619861620.577375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02120000	success
1619861620.577375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02190000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021a0000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021b0000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021c0000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021d0000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021e0000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x021f0000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02200000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02210000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02220000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02230000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02240000	success
1619861620.593375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02250000	success
1619861620.687375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025b0000	success
1619861620.687375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025c0000	success
1619861620.687375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025d0000	success
1619861620.687375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028f0000	success
1619861620.687375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02900000	success
1619861620.780375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02a10000	success
1619861621.062375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02a20000	success
1619861621.124375 NtAllocateVirtualMemory	process_identifier: 2900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02a40000	success
1619884391.044874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f0000	success
1619884391.044874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 270336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00540000	success
1619884391.044874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e0000	success
1619884391.044874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f0000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f0000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00500000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00510000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00520000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00530000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00590000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00830000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00840000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00850000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00860000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02210000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02220000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02470000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02480000	success
1619884391.059874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02490000	success
1619884391.122874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x024d0000	success
1619884391.122874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028d0000	success
1619884391.122874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028e0000	success
1619884391.122874 NtAllocateVirtualMemory	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x028f0000	success

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (10 个事件)

Time & API	Arguments	Status	Return
1619861620.702375 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4786908 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884391.137874 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4783924 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884400.153874 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4731760 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884418.169874 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4741268 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884423.653501 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4740993 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884424.684501 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4741274 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884430.170249 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4733062 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884431.153874 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4741268 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884436.762749 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4729024 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1
1619884437.857249 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 number_of_free_clusters: 4741144 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windate.vbs

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 个事件)

Time & API	Arguments	Status	Return
1619884430.326249 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x00000110 process_identifier: 3164	success	1
1619884430.326249 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x00000110 process_identifier: 3268	success	1
1619884430.326249 Process32NextW	process_name: sppsvc.exe snapshot_handle: 0x00000110 process_identifier: 3384	success	1
1619884430.326249 Process32NextW	process_name: windate.exe snapshot_handle: 0x00000110 process_identifier: 3460	success	1
1619884430.326249 Process32NextW	process_name: windate.exe snapshot_handle: 0x00000110 process_identifier: 3524	success	1
1619884436.934749 Process32NextW	process_name: windate.exe snapshot_handle: 0x00000110 process_identifier: 3708	success	1
1619884437.998249 Process32NextW	process_name: windate.exe snapshot_handle: 0x00000110 process_identifier: 3868	success	1

The binary likely contains encrypted or compressed data indicative of a packer (6 个事件)

entropy

7.998882535051561

section

{'size_of_data': '0x0002ca00', 'virtual_address': '0x00001000', 'entropy': 7.998882535051561, 'name': '', 'virtual_size': '0x0006c000'}

description