SmartHawk

10.8

0-day

58 个模型检测该样本为恶意！

重新分析

下载样本

b99887f1364955d2872bedadab15a15a51429ec8aeb111859d50e24a9fd31342

c7c51bf3b7e17a1f6a3502309fc13604.exe

分析耗时

96s

最近分析

文件大小

2.0MB

静态报毒动态报毒 100% AGEN AI SCORE=89 ARTEMIS ATTRIBUTE BYMI CLOUD COINSTEALER CONFIDENCE DPZC GDLTR GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HUPJJA ICLOADER KCLOUD KVMH008 MALWARE@#GF2VP5N38CWP MULDROP13 PACKEDTHEMIDA SAVE SCORE SCROP SPYEYES STATIC AI SUSGEN SUSPICIOUS PE TAOR THEMIDA TROJANX TSCOPE UNSAFE Z0AAWS ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanDropper:Win32/Scrop.411d2215	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20210217	21.1.5827.0
Tencent	Win32.Trojan-dropper.Scrop.Taor	20210217	1.0.0.1
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)	20210217	2017.9.26.565
McAfee	Artemis!C7C51BF3B7E1	20210217	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20210203	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1620917615.91875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620917615.93475 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620917616.46575 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (41 个事件)

Time & API	Arguments	Status	Return	Repeated
1620917611.38775 IsDebuggerPresent		failed	0	0
1620917613.35675 IsDebuggerPresent		failed	0	0
1620917615.37275 IsDebuggerPresent		failed	0	0
1620917617.38775 IsDebuggerPresent		failed	0	0
1620917618.419125 IsDebuggerPresent		failed	0	0
1620917618.591125 IsDebuggerPresent		failed	0	0
1620917620.263125 IsDebuggerPresent		failed	0	0
1620917622.310125 IsDebuggerPresent		failed	0	0
1620917624.326125 IsDebuggerPresent		failed	0	0
1620917626.451125 IsDebuggerPresent		failed	0	0
1620917628.466125 IsDebuggerPresent		failed	0	0
1620917630.482125 IsDebuggerPresent		failed	0	0
1620917632.498125 IsDebuggerPresent		failed	0	0
1620917634.513125 IsDebuggerPresent		failed	0	0
1620917636.529125 IsDebuggerPresent		failed	0	0
1620917638.544125 IsDebuggerPresent		failed	0	0
1620917640.560125 IsDebuggerPresent		failed	0	0
1620917642.576125 IsDebuggerPresent		failed	0	0
1620917644.623125 IsDebuggerPresent		failed	0	0
1620917646.638125 IsDebuggerPresent		failed	0	0
1620917648.654125 IsDebuggerPresent		failed	0	0
1620917650.669125 IsDebuggerPresent		failed	0	0
1620917652.685125 IsDebuggerPresent		failed	0	0
1620917654.701125 IsDebuggerPresent		failed	0	0
1620917656.716125 IsDebuggerPresent		failed	0	0
1620917658.732125 IsDebuggerPresent		failed	0	0
1620917660.748125 IsDebuggerPresent		failed	0	0
1620917662.763125 IsDebuggerPresent		failed	0	0
1620917664.779125 IsDebuggerPresent		failed	0	0
1620917666.794125 IsDebuggerPresent		failed	0	0
1620917668.810125 IsDebuggerPresent		failed	0	0
1620917670.826125 IsDebuggerPresent		failed	0	0
1620917672.841125 IsDebuggerPresent		failed	0	0
1620917674.857125 IsDebuggerPresent		failed	0	0
1620917676.873125 IsDebuggerPresent		failed	0	0
1620917678.888125 IsDebuggerPresent		failed	0	0
1620917680.904125 IsDebuggerPresent		failed	0	0
1620917682.919125 IsDebuggerPresent		failed	0	0
1620917684.935125 IsDebuggerPresent		failed	0	0
1620917686.951125 IsDebuggerPresent		failed	0	0
1620917688.966125 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620917612.15375 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 个事件)

section	\x00
section	.idata
section
section	femxmhlx
section	eeqbunrj

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

CURSOR

One or more processes crashed (50 out of 226 个事件)

Time & API	Arguments	Status
1620917610.70075 __exception__	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1505296 registers.edi: 0 registers.eax: 1 registers.ebp: 1505312 registers.edx: 18718720 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x30f0b9 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 3207353 exception.address: 0x103f0b9	success
1620917610.70075 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 4294943328 registers.eax: 14345705 registers.ebp: 3996016660 registers.edx: 13828096 registers.ebx: 0 registers.esi: 3 registers.ecx: 238825 exception.instruction_r: fb 53 52 81 ec 04 00 00 00 89 0c 24 e9 1e 00 00 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x786ea exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 493290 exception.address: 0xda86ea	success
1620917610.70075 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 4294943328 registers.eax: 14350539 registers.ebp: 3996016660 registers.edx: 1259 registers.ebx: 0 registers.esi: 4294942600 registers.ecx: 238825 exception.instruction_r: fb ba c5 d8 de 10 83 ec 04 e9 31 02 00 00 81 c2 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x792ec exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 496364 exception.address: 0xda92ec	success
1620917610.70075 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 14359067 registers.eax: 15906530 registers.ebp: 3996016660 registers.edx: 2130566132 registers.ebx: 45875900 registers.esi: 15864907 registers.ecx: 700 exception.instruction_r: fb 31 c9 ff 34 01 ff 34 24 ff 34 24 8b 1c 24 81 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x1f5888 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2054280 exception.address: 0xf25888	success
1620917610.70075 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 14359067 registers.eax: 15906530 registers.ebp: 3996016660 registers.edx: 2130566132 registers.ebx: 69865 registers.esi: 15864907 registers.ecx: 4294943708 exception.instruction_r: fb 57 89 04 24 e9 af ff ff ff bb c7 fd 3d 0b 31 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x1f568a exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2053770 exception.address: 0xf2568a	success
1620917610.71575 __exception__	stacktrace: registers.esp: 1505260 registers.edi: 15888270 registers.eax: 27958 registers.ebp: 3996016660 registers.edx: 15885851 registers.ebx: 15885851 registers.esi: 0 registers.ecx: 278649898 exception.instruction_r: fb 50 89 1c 24 bb 94 c1 e3 7f c1 e3 02 43 f7 db exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x1f74ef exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2061551 exception.address: 0xf274ef	success
1620917610.71575 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 15916228 registers.eax: 27958 registers.ebp: 3996016660 registers.edx: 15885851 registers.ebx: 15885851 registers.esi: 0 registers.ecx: 278649898 exception.instruction_r: fb 52 e9 e8 fe ff ff 83 ec 04 89 0c 24 b9 ea b5 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x1f7379 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2061177 exception.address: 0xf27379	success
1620917610.71575 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 15916228 registers.eax: 50665 registers.ebp: 3996016660 registers.edx: 15885851 registers.ebx: 15885851 registers.esi: 0 registers.ecx: 4294942836 exception.instruction_r: fb e9 94 fa ff ff 81 c3 c1 d7 fe 7d 51 e9 e6 fa exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x1f7c16 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2063382 exception.address: 0xf27c16	success
1620917610.71575 __exception__	stacktrace: registers.esp: 1505260 registers.edi: 15916228 registers.eax: 25619 registers.ebp: 3996016660 registers.edx: 15885851 registers.ebx: 15902073 registers.esi: 0 registers.ecx: 15885851 exception.instruction_r: fb 50 e9 4c 01 00 00 5c 81 c1 01 00 00 00 83 c1 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x1fa98a exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2075018 exception.address: 0xf2a98a	success
1620917610.71575 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 15916228 registers.eax: 25619 registers.ebp: 3996016660 registers.edx: 15885851 registers.ebx: 15927692 registers.esi: 0 registers.ecx: 15885851 exception.instruction_r: fb e9 c3 03 00 00 59 33 34 24 31 34 24 e9 a9 03 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x1fa5f1 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2074097 exception.address: 0xf2a5f1	success
1620917610.71575 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 4294944604 registers.eax: 25619 registers.ebp: 3996016660 registers.edx: 134889 registers.ebx: 15927692 registers.esi: 0 registers.ecx: 15885851 exception.instruction_r: fb 57 89 1c 24 bb 23 fd ec 47 89 da ff 34 24 5b exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x1fac0b exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2075659 exception.address: 0xf2ac0b	success
1620917610.74775 __exception__	stacktrace: registers.esp: 1505256 registers.edi: 6368778 registers.eax: 1447909480 registers.ebp: 3996016660 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 15926438 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 52 e9 aa 00 00 00 bf 04 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x204db0 exception.instruction: in eax, dx exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2117040 exception.address: 0xf34db0	success
1620917610.74775 __exception__	stacktrace: registers.esp: 1505256 registers.edi: 6368778 registers.eax: 1 registers.ebp: 3996016660 registers.edx: 22104 registers.ebx: 0 registers.esi: 15926438 registers.ecx: 20 exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x2052f0 exception.address: 0xf352f0 exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc000001d exception.offset: 2118384	success
1620917610.74775 __exception__	stacktrace: registers.esp: 1505256 registers.edi: 6368778 registers.eax: 1447909480 registers.ebp: 3996016660 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 15926438 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 aa 28 ac 12 01 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x2009da exception.instruction: in eax, dx exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2099674 exception.address: 0xf309da	success
1620917610.96575 __exception__	stacktrace: registers.esp: 1505260 registers.edi: 6368778 registers.eax: 28022 registers.ebp: 3996016660 registers.edx: 15961166 registers.ebx: 52887968 registers.esi: 10 registers.ecx: 3292463104 exception.instruction_r: fb 81 ea 10 56 f1 4f 51 b9 ba 07 4b 7f 29 ca 59 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x209794 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2135956 exception.address: 0xf39794	success
1620917610.96575 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 6368778 registers.eax: 28022 registers.ebp: 3996016660 registers.edx: 15989188 registers.ebx: 1392536160 registers.esi: 4294942496 registers.ecx: 3292463104 exception.instruction_r: fb 56 89 e6 81 c6 04 00 00 00 83 ee 04 87 34 24 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x208ef2 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2133746 exception.address: 0xf38ef2	success
1620917610.96575 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 0 registers.eax: 1505224 registers.ebp: 3996016660 registers.edx: 27276 registers.ebx: 15965438 registers.esi: 55355 registers.ecx: 27276 exception.instruction_r: cd 01 eb 00 6a 00 52 e8 03 00 00 00 20 5a c3 5a exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x209b82 exception.instruction: int 1 exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000005 exception.offset: 2136962 exception.address: 0xf39b82	success
1620917610.96575 __exception__	stacktrace: registers.esp: 1505260 registers.edi: 6368778 registers.eax: 27191 registers.ebp: 3996016660 registers.edx: 15992208 registers.ebx: 1392536160 registers.esi: 234610159 registers.ecx: 15983290 exception.instruction_r: fb e9 90 03 00 00 89 04 24 b8 d1 4d 7f 57 e9 2b exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x21079d exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2164637 exception.address: 0xf4079d	success
1620917610.98175 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 6368778 registers.eax: 1284037224 registers.ebp: 3996016660 registers.edx: 15995367 registers.ebx: 1392536160 registers.esi: 234610159 registers.ecx: 0 exception.instruction_r: fb 50 57 50 b8 26 e3 4e 14 e9 ae 01 00 00 89 24 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x211015 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2166805 exception.address: 0xf41015	success
1620917611.23175 __exception__	stacktrace: registers.esp: 1505264 registers.edi: 4294939912 registers.eax: 30472 registers.ebp: 3996016660 registers.edx: 16058999 registers.ebx: 52888283 registers.esi: 1983190032 registers.ecx: 73449 exception.instruction_r: fb 83 ec 04 89 04 24 89 34 24 57 bf 29 12 b7 3f exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x21960f exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2201103 exception.address: 0xf4960f	success
1620917611.23175 __exception__	stacktrace: registers.esp: 1505256 registers.edi: 1122588242 registers.eax: 32193 registers.ebp: 3996016660 registers.edx: 485460186 registers.ebx: 4294937848 registers.esi: 16083383 registers.ecx: 485460186 exception.instruction_r: fb 83 ec 04 89 0c 24 c7 04 24 c2 9a a2 57 e9 91 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x21ec1e exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2223134 exception.address: 0xf4ec1e	success
1620917611.23175 __exception__	stacktrace: registers.esp: 1505256 registers.edi: 16056941 registers.eax: 0 registers.ebp: 3996016660 registers.edx: 485460186 registers.ebx: 2062316261 registers.esi: 16083383 registers.ecx: 3923937618 exception.instruction_r: fb 53 bb 0c 2a f7 5d e9 dc fd ff ff 52 89 e2 e9 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x220265 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2228837 exception.address: 0xf50265	success
1620917611.26275 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16231760 registers.eax: 28033 registers.ebp: 3996016660 registers.edx: 2130566132 registers.ebx: 480428392 registers.esi: 4294942212 registers.ecx: 3292463104 exception.instruction_r: fb 51 e9 16 00 00 00 01 f3 5e 81 eb 03 b3 ff 73 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x244a6c exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2378348 exception.address: 0xf74a6c	success
1620917611.26275 __exception__	stacktrace: registers.esp: 1505220 registers.edi: 4007251268 registers.eax: 30586 registers.ebp: 3996016660 registers.edx: 16212213 registers.ebx: 16777537 registers.esi: 16206676 registers.ecx: 28806513 exception.instruction_r: fb 57 89 0c 24 52 ba b5 d4 f5 7e c1 e2 06 e9 36 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x246930 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2386224 exception.address: 0xf76930	success
1620917611.27875 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 322689 registers.eax: 30586 registers.ebp: 3996016660 registers.edx: 16242799 registers.ebx: 16777537 registers.esi: 4294940248 registers.ecx: 28806513 exception.instruction_r: fb 56 89 14 24 c7 04 24 b9 4d ff 3d c1 2c 24 05 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x246626 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2385446 exception.address: 0xf76626	success
1620917611.27875 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16242777 registers.eax: 26816 registers.ebp: 3996016660 registers.edx: 16242799 registers.ebx: 1727564384 registers.esi: 4294940248 registers.ecx: 4294942728 exception.instruction_r: fb 55 89 0c 24 b9 c2 15 f7 7e 83 ec 04 89 3c 24 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x247350 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2388816 exception.address: 0xf77350	success
1620917611.27875 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16218923 registers.eax: 16223906 registers.ebp: 3996016660 registers.edx: 478761553 registers.ebx: 1727564530 registers.esi: 16218237 registers.ecx: 0 exception.instruction_r: fb 53 89 3c 24 c7 04 24 75 f9 43 3f 89 04 24 51 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x2488ab exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2394283 exception.address: 0xf788ab	success
1620917611.27875 __exception__	stacktrace: registers.esp: 1505220 registers.edi: 16218923 registers.eax: 26858 registers.ebp: 3996016660 registers.edx: 1193142812 registers.ebx: 1122790993 registers.esi: 16218237 registers.ecx: 16224106 exception.instruction_r: fb 53 e9 72 08 00 00 b8 38 7d d7 7b 21 c6 8b 04 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x249166 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2396518 exception.address: 0xf79166	success
1620917611.27875 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16218923 registers.eax: 0 registers.ebp: 3996016660 registers.edx: 1193142812 registers.ebx: 3924265303 registers.esi: 16218237 registers.ecx: 16227376 exception.instruction_r: fb 83 ec 04 e9 25 03 00 00 29 d1 5a 81 ec 04 00 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x2494e7 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2397415 exception.address: 0xf794e7	success
1620917611.27875 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16218923 registers.eax: 16280802 registers.ebp: 3996016660 registers.edx: 2130695138 registers.ebx: 14322210 registers.esi: 16218237 registers.ecx: 2002452622 exception.instruction_r: fb 29 ff ff 34 07 e9 87 02 00 00 8b 24 24 51 b9 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x24fac0 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2423488 exception.address: 0xf7fac0	success
1620917611.29375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 4294938748 registers.eax: 16280802 registers.ebp: 3996016660 registers.edx: 3939837675 registers.ebx: 14322210 registers.esi: 16218237 registers.ecx: 2002452622 exception.instruction_r: fb e9 0f 06 00 00 f7 db 53 f7 1c 24 8b 1c 24 83 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x24f4d7 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2421975 exception.address: 0xf7f4d7	success
1620917611.29375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 1003627648 registers.eax: 30355 registers.ebp: 3996016660 registers.edx: 16253502 registers.ebx: 1003627648 registers.esi: 16252928 registers.ecx: 16284297 exception.instruction_r: fb 29 f6 ff 34 31 68 4f 5e b4 2d 89 04 24 b8 7a exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x250a97 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2427543 exception.address: 0xf80a97	success
1620917611.29375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 1003627648 registers.eax: 30355 registers.ebp: 3996016660 registers.edx: 81129 registers.ebx: 1003627648 registers.esi: 4294939508 registers.ecx: 16284297 exception.instruction_r: fb e9 0f 06 00 00 bb 7a a6 57 7b 29 da 5b 56 54 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x2507b1 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2426801 exception.address: 0xf807b1	success
1620917611.29375 __exception__	stacktrace: registers.esp: 1505220 registers.edi: 16259277 registers.eax: 26729 registers.ebp: 3996016660 registers.edx: 81129 registers.ebx: 1003627648 registers.esi: 4294939508 registers.ecx: 1406353131 exception.instruction_r: fb 51 b9 ef ac 53 47 55 bd 93 e7 ff 67 f7 dd e9 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x25221b exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2433563 exception.address: 0xf8221b	success
1620917611.29375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16286006 registers.eax: 26729 registers.ebp: 3996016660 registers.edx: 81129 registers.ebx: 1003627648 registers.esi: 4294939508 registers.ecx: 1406353131 exception.instruction_r: fb 55 89 1c 24 89 34 24 89 e6 e9 91 fc ff ff 5c exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x251fec exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2433004 exception.address: 0xf81fec	success
1620917611.29375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16262230 registers.eax: 0 registers.ebp: 3996016660 registers.edx: 81129 registers.ebx: 1003627648 registers.esi: 2298801283 registers.ecx: 1406353131 exception.instruction_r: fb 53 89 2c 24 68 57 bf 26 7a 89 04 24 53 bb 00 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x251ef0 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2432752 exception.address: 0xf81ef0	success
1620917611.30975 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16262230 registers.eax: 4294941280 registers.ebp: 3996016660 registers.edx: 2130566132 registers.ebx: 605325653 registers.esi: 16263884 registers.ecx: 16311066 exception.instruction_r: fb 68 56 aa 2a 63 89 3c 24 bf 5f ac 7f 7c c1 ef exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x2574cd exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2454733 exception.address: 0xf874cd	success
1620917611.38775 __exception__	stacktrace: registers.esp: 1505220 registers.edi: 16304091 registers.eax: 26850 registers.ebp: 3996016660 registers.edx: 16326116 registers.ebx: 16304059 registers.esi: 16304055 registers.ecx: 3292463104 exception.instruction_r: fb 68 53 03 6e 6d 89 04 24 68 b6 92 fe 7f 58 01 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x262585 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2499973 exception.address: 0xf92585	success
1620917611.38775 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16304091 registers.eax: 26850 registers.ebp: 3996016660 registers.edx: 16352966 registers.ebx: 16304059 registers.esi: 16304055 registers.ecx: 3292463104 exception.instruction_r: fb 50 c7 04 24 b9 47 cf 75 ff 0c 24 31 0c 24 33 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x262348 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2499400 exception.address: 0xf92348	success
1620917611.38775 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 0 registers.eax: 26850 registers.ebp: 3996016660 registers.edx: 16328750 registers.ebx: 16304059 registers.esi: 16304055 registers.ecx: 24176976 exception.instruction_r: fb e9 96 fb ff ff 53 bb 69 24 85 66 01 dd 8b 1c exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x2622ec exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2499308 exception.address: 0xf922ec	success
1620917611.38775 __exception__	stacktrace: registers.esp: 1505220 registers.edi: 16384922 registers.eax: 16396073 registers.ebp: 3996016660 registers.edx: 2130566132 registers.ebx: 2002452454 registers.esi: 16304055 registers.ecx: 3292463104 exception.instruction_r: fb 56 50 68 ed 31 8f 7b e9 3d 02 00 00 8b 24 24 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x27323c exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2568764 exception.address: 0xfa323c	success
1620917611.38775 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16384922 registers.eax: 16424394 registers.ebp: 3996016660 registers.edx: 2130566132 registers.ebx: 2002452454 registers.esi: 16304055 registers.ecx: 3292463104 exception.instruction_r: fb 56 52 89 2c 24 bd 03 20 ef 57 81 c5 50 d8 90 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x27382a exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2570282 exception.address: 0xfa382a	success
1620917611.40375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 4294941772 registers.eax: 16424394 registers.ebp: 3996016660 registers.edx: 2130566132 registers.ebx: 2002452454 registers.esi: 604292951 registers.ecx: 3292463104 exception.instruction_r: fb 53 89 04 24 68 c6 23 16 6d 89 0c 24 89 34 24 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x27350f exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2569487 exception.address: 0xfa350f	success
1620917611.40375 __exception__	stacktrace: registers.esp: 1505220 registers.edi: 16426430 registers.eax: 25588 registers.ebp: 3996016660 registers.edx: 9 registers.ebx: 2266824415 registers.esi: 137026667 registers.ecx: 10 exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 e9 9d 00 00 00 89 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x27a5ec exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2598380 exception.address: 0xfaa5ec	success
1620917611.40375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16452018 registers.eax: 25588 registers.ebp: 3996016660 registers.edx: 9 registers.ebx: 2266824415 registers.esi: 137026667 registers.ecx: 10 exception.instruction_r: fb 68 c9 f1 de 0d e9 99 05 00 00 89 24 24 52 e9 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x27a72f exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2598703 exception.address: 0xfaa72f	success
1620917611.40375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16452018 registers.eax: 25588 registers.ebp: 3996016660 registers.edx: 604801367 registers.ebx: 2266824415 registers.esi: 4294944392 registers.ecx: 10 exception.instruction_r: fb 56 50 c7 04 24 a2 f4 7d 7a ff 0c 24 c1 24 24 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x27ad6d exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2600301 exception.address: 0xfaad6d	success
1620917611.40375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16497352 registers.eax: 32395 registers.ebp: 3996016660 registers.edx: 12 registers.ebx: 16430561 registers.esi: 6134608 registers.ecx: 13 exception.instruction_r: fb 50 c7 04 24 bf 90 4b 17 89 3c 24 55 e9 a7 fe exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x284166 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2638182 exception.address: 0xfb4166	success
1620917611.40375 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16468092 registers.eax: 32395 registers.ebp: 3996016660 registers.edx: 12 registers.ebx: 16430561 registers.esi: 1161919080 registers.ecx: 0 exception.instruction_r: fb 57 bf cc 9a 7c 7d 53 89 e3 81 c3 04 00 00 00 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x283fa9 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2637737 exception.address: 0xfb3fa9	success
1620917611.41875 __exception__	stacktrace: registers.esp: 1505224 registers.edi: 16563897 registers.eax: 4294938044 registers.ebp: 3996016660 registers.edx: 2130566132 registers.ebx: 16469528 registers.esi: 2010382348 registers.ecx: 2298801283 exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 be 16 fe c7 5b 68 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x2945f9 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2704889 exception.address: 0xfc45f9	success
1620917611.41875 __exception__	stacktrace: registers.esp: 1505220 registers.edi: 16563897 registers.eax: 27166 registers.ebp: 3996016660 registers.edx: 1539833366 registers.ebx: 639552889 registers.esi: 2010382348 registers.ecx: 16534942 exception.instruction_r: fb e9 74 01 00 00 53 bb e0 14 fd 4b 29 d9 5b 29 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x294e73 exception.instruction: sti exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2707059 exception.address: 0xfc4e73	success

Allocates read-write-execute memory (usually to unpack itself) (50 out of 55 个事件)

Time & API	Arguments	Status
1620917611.40375 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620917611.40375 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620917611.48175 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00d31000	success
1620917611.51275 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f0000	success
1620917611.51275 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00600000	success
1620917611.52875 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00920000	success
1620917611.52875 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a30000	success
1620917611.52875 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a90000	success
1620917611.52875 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ae0000	success
1620917611.52875 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00af0000	success
1620917611.52875 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b40000	success
1620917611.52875 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b50000	success
1620917611.52875 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c70000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00cc0000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00cd0000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ce0000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02620000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02630000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x026c0000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a90000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a90000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02710000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02720000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02770000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a90000	success
1620917611.54375 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a90000	success
1620917254.390645 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004080000	success
1620917618.419125 NtProtectVirtualMemory	process_identifier: 3204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77dcf000	success
1620917618.419125 NtProtectVirtualMemory	process_identifier: 3204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x77d40000	success
1620917618.466125 NtProtectVirtualMemory	process_identifier: 3204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01331000	success
1620917618.513125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e0000	success
1620917618.513125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f0000	success
1620917618.513125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00640000	success
1620917618.513125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a40000	success
1620917618.513125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a50000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00aa0000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ab0000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bc0000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c10000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c60000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c70000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e80000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e90000	success
1620917618.529125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00fa0000	success
1620917618.544125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ff0000	success
1620917618.544125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01140000	success
1620917618.544125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01150000	success
1620917618.544125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a50000	success
1620917618.544125 NtAllocateVirtualMemory	process_identifier: 3204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a50000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 个事件)

description

SmartClock.exe tried to sleep 629 seconds, actually delayed analysis time by 629 seconds

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.979019035570942

section

{'size_of_data': '0x0000fc00', 'virtual_address': '0x00001000', 'entropy': 7.979019035570942, 'name': ' \\x00 ', 'virtual_size': '0x00023000'}

description

A section with a high entropy has been found

entropy

7.953059904033079

section

{'size_of_data': '0x0019a200', 'virtual_address': '0x0030f000', 'entropy': 7.953059904033079, 'name': 'femxmhlx', 'virtual_size': '0x0019b000'}

description

A section with a high entropy has been found

entropy

0.840404538727183

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 个事件)

process

system

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Checks for the presence of known devices from debuggers and forensic tools (3 个事件)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 244 个事件)

Time & API	Arguments	Status
1620917611.38775 FindWindowA	class_name: OLLYDBG window_name:	failed
1620917611.38775 FindWindowA	class_name: GBDYLLO window_name:	failed
1620917611.38775 FindWindowA	class_name: pediy06 window_name:	failed
1620917611.40375 FindWindowA	class_name: FilemonClass window_name:	failed
1620917611.40375 FindWindowA	class_name: FilemonClass window_name:	failed
1620917611.40375 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620917611.40375 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620917611.40375 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620917611.40375 FindWindowA	class_name: RegmonClass window_name:	failed
1620917611.40375 FindWindowA	class_name: RegmonClass window_name:	failed
1620917611.40375 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1620917611.40375 FindWindowA	class_name: 18467-41 window_name:	failed
1620917611.46575 FindWindowA	class_name: FilemonClass window_name:	failed
1620917611.46575 FindWindowA	class_name: FilemonClass window_name:	failed
1620917611.46575 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620917611.46575 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620917611.46575 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620917613.35675 FindWindowA	class_name: OLLYDBG window_name:	failed
1620917613.35675 FindWindowA	class_name: GBDYLLO window_name:	failed
1620917613.35675 FindWindowA	class_name: pediy06 window_name:	failed
1620917615.37275 FindWindowA	class_name: OLLYDBG window_name:	failed
1620917615.37275 FindWindowA	class_name: GBDYLLO window_name:	failed
1620917615.37275 FindWindowA	class_name: pediy06 window_name:	failed
1620917615.51275 FindWindowA	class_name: Regmonclass window_name:	failed
1620917615.51275 FindWindowA	class_name: Regmonclass window_name:	failed
1620917615.82575 FindWindowA	class_name: 18467-41 window_name:	failed
1620917616.13775 FindWindowA	class_name: Filemonclass window_name:	failed
1620917616.13775 FindWindowA	class_name: Filemonclass window_name:	failed
1620917616.13775 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620917617.38775 FindWindowA	class_name: OLLYDBG window_name:	failed
1620917617.38775 FindWindowA	class_name: GBDYLLO window_name:	failed
1620917617.38775 FindWindowA	class_name: pediy06 window_name:	failed
1620917618.419125 FindWindowA	class_name: OLLYDBG window_name:	failed
1620917618.419125 FindWindowA	class_name: GBDYLLO window_name:	failed
1620917618.419125 FindWindowA	class_name: pediy06 window_name:	failed
1620917618.419125 FindWindowA	class_name: FilemonClass window_name:	failed
1620917618.419125 FindWindowA	class_name: FilemonClass window_name:	failed
1620917618.419125 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620917618.419125 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620917618.419125 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620917618.419125 FindWindowA	class_name: RegmonClass window_name:	failed
1620917618.419125 FindWindowA	class_name: RegmonClass window_name:	failed
1620917618.419125 FindWindowA	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com	failed
1620917618.419125 FindWindowA	class_name: 18467-41 window_name:	failed
1620917618.466125 FindWindowA	class_name: FilemonClass window_name:	failed
1620917618.466125 FindWindowA	class_name: FilemonClass window_name:	failed
1620917618.466125 FindWindowA	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com	failed
1620917618.466125 FindWindowA	class_name: PROCMON_WINDOW_CLASS window_name:	failed
1620917618.466125 FindWindowA	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com	failed
1620917620.263125 FindWindowA	class_name: OLLYDBG window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (2 个事件)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Detects VirtualBox through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620917610.74775 __exception__	stacktrace: registers.esp: 1505256 registers.edi: 6368778 registers.eax: 1447909480 registers.ebp: 3996016660 registers.edx: 22104 registers.ebx: 1983254709 registers.esi: 15926438 registers.ecx: 20 exception.instruction_r: ed 64 8f 05 00 00 00 00 52 e9 aa 00 00 00 bf 04 exception.symbol: c7c51bf3b7e17a1f6a3502309fc13604+0x204db0 exception.instruction: in eax, dx exception.module: c7c51bf3b7e17a1f6a3502309fc13604.exe exception.exception_code: 0xc0000096 exception.offset: 2117040 exception.address: 0xf34db0	success	0	0

Detects the presence of Wine emulator (1 个事件)

registry

HKEY_CURRENT_USER\Software\Wine

Generates some ICMP traffic

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43809057
FireEye	Generic.mg.c7c51bf3b7e17a1f
CAT-QuickHeal	Trojan.Generic
Qihoo-360	Win32/Trojan.fc8
ALYac	Spyware.SpyEyes
Cylance	Unsafe
Zillya	Trojan.Themida.Win32.56147
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00569d041 )
Alibaba	TrojanDropper:Win32/Scrop.411d2215
K7GW	Trojan ( 00569d041 )
Cybereason	malicious.3b7e17
Arcabit	Trojan.Generic.D29C7921
Cyren	W32/Trojan.DPZC-0226
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Dropper.Win32.Scrop.vho
BitDefender	Trojan.GenericKD.43809057
NANO-Antivirus	Trojan.Win32.Scrop.hupjja
Paloalto	generic.ml
AegisLab	Trojan.Win32.Scrop.b!c
Tencent	Win32.Trojan-dropper.Scrop.Taor
Ad-Aware	Trojan.GenericKD.43809057
Sophos	Mal/Generic-S
Comodo	Malware@#gf2vp5n38cwp
F-Secure	Heuristic.HEUR/AGEN.1138094
DrWeb	Trojan.MulDrop13.60396
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Emsisoft	Trojan.GenericKD.43809057 (B)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.Generic.gdltr
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1138094
Antiy-AVL	Trojan[Dropper]/Win32.Scrop
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Trojan.Win32.Packed.vb
Microsoft	Trojan:MSIL/Cryptor
ZoneAlarm	HEUR:Trojan-Dropper.Win32.Scrop.vho
GData	Trojan.GenericKD.43809057
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Scrop.C4152230
McAfee	Artemis!C7C51BF3B7E1
MAX	malware (ai score=89)
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.ICLoader
ESET-NOD32	a variant of Win32/Packed.Themida.HMI
Rising	Dropper.Scrop!8.EABB (CLOUD)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-15 02:59:56

Imports

Library kernel32.dll:

• 0x475033 lstrcpy

Library comctl32.dll:

• 0x47503b InitCommonControls

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net A 51.105.208.173
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	60124	239.255.255.250	3702
192.168.56.101	62194	239.255.255.250	1900
192.168.56.101	50534	8.8.8.8	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.