10.6
0-day
53 个模型检测该样本为恶意!
重新分析
更多

0709efb482f695b80adbe0c90bbbab27919ba33ebb51bbabf249bc40313e7f07

5bdf57df940bf393303b57eb79a6f1fe.exe

分析耗时

130s

最近分析

文件大小

375.5KB
静态报毒 动态报毒 AGEN AGENSLA AI SCORE=86 ARTEMIS ATTRIBUTE BTLDSO CLOUD CONFIDENCE GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE IGENT KRYPTIK MALREP MKNW OCCAMY QVM03 RNDCRYPT SCORE SIGGEN9 SZVZ THEBFBO TROJANPSW TROJANPWS TROJANX TSCOPE UNSAFE XMW@AAU6BIH ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!5BDF57DF940B 20200605 6.0.6.653
Alibaba TrojanPSW:MSIL/Kryptik.a4181813 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20200605 18.4.3895.0
Tencent Win32.Trojan.Generic.Szvz 20200605 1.0.0.1
Kingsoft 20200605 2013.8.14.323
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (16 个事件)
Time & API Arguments Status Return Repeated
1619525845.200627
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525846.919627
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525849.856627
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525855.200627
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525890.716375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525891.887375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525893.809375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525894.591375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525883.46675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525885.46675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525887.684375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525888.809375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525891.106375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525892.700375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525906.48125
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619525906.48125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (24 个事件)
Time & API Arguments Status Return Repeated
1619513304.315924
IsDebuggerPresent
failed 0 0
1619513304.315924
IsDebuggerPresent
failed 0 0
1619525843.247627
IsDebuggerPresent
failed 0 0
1619525843.247627
IsDebuggerPresent
failed 0 0
1619525845.79475
IsDebuggerPresent
failed 0 0
1619525845.79475
IsDebuggerPresent
failed 0 0
1619525846.32575
IsDebuggerPresent
failed 0 0
1619525846.32575
IsDebuggerPresent
failed 0 0
1619525849.341875
IsDebuggerPresent
failed 0 0
1619525849.341875
IsDebuggerPresent
failed 0 0
1619525850.606375
IsDebuggerPresent
failed 0 0
1619525850.606375
IsDebuggerPresent
failed 0 0
1619525858.59175
IsDebuggerPresent
failed 0 0
1619525858.59175
IsDebuggerPresent
failed 0 0
1619525860.30975
IsDebuggerPresent
failed 0 0
1619525860.30975
IsDebuggerPresent
failed 0 0
1619525870.32575
IsDebuggerPresent
failed 0 0
1619525870.32575
IsDebuggerPresent
failed 0 0
1619525871.887375
IsDebuggerPresent
failed 0 0
1619525871.903375
IsDebuggerPresent
failed 0 0
1619525881.60625
IsDebuggerPresent
failed 0 0
1619525881.60625
IsDebuggerPresent
failed 0 0
1619525906.46625
IsDebuggerPresent
failed 0 0
1619525906.46625
IsDebuggerPresent
failed 0 0
Command line console output was observed (15 个事件)
Time & API Arguments Status Return Repeated
1619525850.028502
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe
console_handle: 0x00000007
success 1 0
1619525850.028502
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619525847.481
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619525854.466125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe
console_handle: 0x00000007
success 1 0
1619525854.481125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619525851.512
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619525859.45075
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe
console_handle: 0x00000007
success 1 0
1619525859.48175
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619525857.77825
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619525875.559627
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe
console_handle: 0x00000007
success 1 0
1619525875.669627
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619525867.841375
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619525887.48125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe
console_handle: 0x00000007
success 1 0
1619525887.52825
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619525883.841502
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619513304.331924
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (10 个事件)
Time & API Arguments Status Return Repeated
1619525849.575627
__exception__
stacktrace: 
0x110feb5
0x110f1c7
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2419960
registers.edi: 2419988
registers.eax: 0
registers.ebp: 2420004
registers.edx: 8
registers.ebx: 0
registers.esi: 45914628
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 56 8d 8a 0b e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x9e3732
success 0 0
1619525893.575375
__exception__
stacktrace: 
0x10efeb5
0x10ef1c7
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2683048
registers.edi: 2683076
registers.eax: 0
registers.ebp: 2683092
registers.edx: 8
registers.ebx: 0
registers.esi: 45930936
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 56 8d 8a 0b e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xe63732
success 0 0
1619525932.497375
__exception__
stacktrace: 
0x5d21821
0x10ef8c3
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2681620
registers.edi: 46678676
registers.eax: 151581481
registers.ebp: 2681676
registers.edx: 3
registers.ebx: 1765646036
registers.esi: 1515814813
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 2c ff 50 14 39 00 89 45 c8 69 c6 16
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x59b85bf
success 0 0
1619525933.184375
__exception__
stacktrace: 
0x10ef8c3
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2681684
registers.edi: 46714884
registers.eax: 0
registers.ebp: 2683140
registers.edx: 0
registers.ebx: 1765646036
registers.esi: 2047539539
registers.ecx: 46722892
exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 8b 95 b0 fa ff ff
exception.instruction: cmp dword ptr [eax + 4], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5d21a95
success 0 0
1619525933.184375
__exception__
stacktrace: 
0x5d21d26
0x10ef8c3
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2681560
registers.edi: 0
registers.eax: 10521916
registers.ebp: 2681676
registers.edx: 11
registers.ebx: 0
registers.esi: 242004079
registers.ecx: 0
exception.instruction_r: 39 09 e8 51 35 43 6c 83 78 04 00 0f 84 de 00 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x59b8eec
success 0 0
1619525890.747375
__exception__
stacktrace: 
0xa802b5
0x130f1c7
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2289224
registers.edi: 2289252
registers.eax: 0
registers.ebp: 2289268
registers.edx: 8
registers.ebx: 0
registers.esi: 45957460
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 56 8d 8a 0b e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa83a62
success 0 0
1619525932.559375
__exception__
stacktrace: 
0x5be1821
0x130f8c3
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2287796
registers.edi: 46672356
registers.eax: 151581481
registers.ebp: 2287852
registers.edx: 3
registers.ebx: 1765646036
registers.esi: 1515814813
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 2c ff 50 14 39 00 89 45 c8 69 c6 16
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5a785bf
success 0 0
1619525933.372375
__exception__
stacktrace: 
0x130f8c3
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2287860
registers.edi: 46716776
registers.eax: 0
registers.ebp: 2289316
registers.edx: 0
registers.ebx: 1765646036
registers.esi: 2047539539
registers.ecx: 46724784
exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 8b 95 b0 fa ff ff
exception.instruction: cmp dword ptr [eax + 4], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5be1a95
success 0 0
1619525933.403375
__exception__
stacktrace: 
0x5be1d26
0x130f8c3
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2287736
registers.edi: 0
registers.eax: 10521916
registers.ebp: 2287852
registers.edx: 11
registers.ebx: 0
registers.esi: 242004079
registers.ecx: 0
exception.instruction_r: 39 09 e8 51 35 37 6c 83 78 04 00 0f 84 de 00 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5a78eec
success 0 0
1619525906.45025
__exception__
stacktrace: 
0x6f1593
0x6f1ed5
0x6c163c
0x6c147d
0x6c0f4a
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73f07856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73f07ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73f07d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x6c09ff
0x6c08e4
0x6c07be
0x6c0774
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4572232
registers.edi: 2010816850
registers.eax: 23117
registers.ebp: 4572252
registers.edx: 2130566132
registers.ebx: 0
registers.esi: 2010825952
registers.ecx: 1637154816
exception.instruction_r: 66 39 03 74 04 33 c0 eb 7f 8b 43 3c 81 3c 18 50
exception.instruction: cmp word ptr [ebx], ax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6f0010
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 609 个事件)
Time & API Arguments Status Return Repeated
1619513303.627924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00450000
success 0 0
1619513303.627924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00460000
success 0 0
1619513304.034924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00770000
success 0 0
1619513304.034924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00840000
success 0 0
1619513304.159924
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619513304.315924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01fe0000
success 0 0
1619513304.315924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02080000
success 0 0
1619513304.315924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ca000
success 0 0
1619513304.315924
NtProtectVirtualMemory
process_identifier: 368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619513304.315924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c2000
success 0 0
1619513304.596924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d2000
success 0 0
1619513304.784924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00635000
success 0 0
1619513304.784924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0063b000
success 0 0
1619513304.784924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00637000
success 0 0
1619513305.002924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d3000
success 0 0
1619513305.049924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004dc000
success 0 0
1619513305.112924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c0000
success 0 0
1619513305.127924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e6000
success 0 0
1619513305.143924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ea000
success 0 0
1619513305.143924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e7000
success 0 0
1619513305.174924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d4000
success 0 0
1619513305.346924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d5000
success 0 0
1619513305.456924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c1000
success 0 0
1619513305.565924
NtAllocateVirtualMemory
process_identifier: 368
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007f0000
success 0 0
1619525843.200627
NtProtectVirtualMemory
process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75261000
success 0 0
1619525843.200627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00620000
success 0 0
1619525843.200627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006b0000
success 0 0
1619525843.216627
NtProtectVirtualMemory
process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619525843.216627
NtProtectVirtualMemory
process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x751a1000
success 0 0
1619525843.231627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00900000
success 0 0
1619525843.231627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab0000
success 0 0
1619525843.231627
NtProtectVirtualMemory
process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619525843.247627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00760000
success 0 0
1619525843.247627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00770000
success 0 0
1619525843.247627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0063a000
success 0 0
1619525843.247627
NtProtectVirtualMemory
process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619525843.247627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00632000
success 0 0
1619525843.278627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00642000
success 0 0
1619525843.278627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00665000
success 0 0
1619525843.278627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0066b000
success 0 0
1619525843.278627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00667000
success 0 0
1619525843.278627
NtProtectVirtualMemory
process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x755f1000
success 0 0
1619525843.294627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00643000
success 0 0
1619525843.325627
NtProtectVirtualMemory
process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74511000
success 0 0
1619525843.341627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00644000
success 0 0
1619525843.341627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064c000
success 0 0
1619525843.356627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01100000
success 0 0
1619525843.356627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 57344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01101000
success 0 0
1619525843.356627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00647000
success 0 0
1619525843.591627
NtAllocateVirtualMemory
process_identifier: 3060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00648000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
Creates a suspicious process (2 个事件)
cmdline cmd.exe /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
cmdline "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe
A process created a hidden window (7 个事件)
Time & API Arguments Status Return Repeated
1619513306.612924
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619525846.51275
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619525850.887875
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619525934.887375
CreateProcessInternalW
thread_identifier: 3324
thread_handle: 0x00000438
process_identifier: 3304
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000444
inherit_handles: 1
success 1 0
1619525861.77875
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619525874.20075
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619525935.762375
CreateProcessInternalW
thread_identifier: 2184
thread_handle: 0x00000460
process_identifier: 1244
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000046c
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.126868382313826 section {'size_of_data': '0x0005d800', 'virtual_address': '0x00002000', 'entropy': 7.126868382313826, 'name': '.text', 'virtual_size': '0x0005d7a4'} description A section with a high entropy has been found
entropy 0.9973333333333333 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 个事件)
Time & API Arguments Status Return Repeated
1619513306.737924
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525844.341627
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525846.60675
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525846.74775
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525851.012875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525851.544375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525861.82575
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525861.82575
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525874.45075
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525873.575375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (18 个事件)
Time & API Arguments Status Return Repeated
1619525846.85675
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
failed 0 0
1619525846.85675
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
success 0 0
1619525851.419875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000037c
failed 0 0
1619525851.419875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000037c
success 0 0
1619525879.872375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3212
process_handle: 0x00000278
failed 0 0
1619525879.872375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3212
process_handle: 0x00000278
success 0 0
1619525889.825375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3060
process_handle: 0x00000278
failed 0 0
1619525889.825375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3060
process_handle: 0x00000278
success 0 0
1619525862.10675
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000378
failed 0 0
1619525862.10675
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000378
success 0 0
1619525880.15375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3212
process_handle: 0x00000274
failed 0 0
1619525880.15375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3212
process_handle: 0x00000274
failed 3221225738 0
1619525875.77875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x000003a0
failed 0 0
1619525875.77875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x000003a0
success 0 0
1619525885.731375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3916
process_handle: 0x0000027c
failed 0 0
1619525885.731375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3916
process_handle: 0x0000027c
success 0 0
1619525886.137375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3212
process_handle: 0x0000027c
failed 0 0
1619525886.137375
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 3212
process_handle: 0x0000027c
failed 3221225738 0
Uses Windows utilities for basic Windows functionality (3 个事件)
cmdline "netsh" wlan show profile
cmdline cmd.exe /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
cmdline "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bdf57df940bf393303b57eb79a6f1fe.exe"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
A process attempted to delay the analysis task. (1 个事件)
description RegAsm.exe tried to sleep 8184646 seconds, actually delayed analysis time by 8184646 seconds
Harvests credentials from local FTP client softwares (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Manipulates memory of a non-child process indicative of process injection (6 个事件)
Process injection Process 2632 manipulating memory of non-child process 3152
Process injection Process 2064 manipulating memory of non-child process 1880
Time & API Arguments Status Return Repeated
1619525846.01275
NtAllocateVirtualMemory
process_identifier: 3152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000210
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619525846.01275
NtAllocateVirtualMemory
process_identifier: 3152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000210
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619525871.37275
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000214
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619525871.37275
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000214
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
Harvests credentials from local email clients (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.78:443
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
MicroWorld-eScan Trojan.GenericKD.33875799
CAT-QuickHeal Trojanpws.Msil
McAfee Artemis!5BDF57DF940B
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056081c1 )
Alibaba TrojanPSW:MSIL/Kryptik.a4181813
K7GW Trojan ( 0056081c1 )
Cybereason malicious.b692ce
Arcabit Trojan.Generic.D204E757
Invincea heuristic
BitDefenderTheta Gen:NN.ZemsilF.34126.xmW@aaU6bih
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.33875799
AegisLab Trojan.Multi.Generic.4!c
Avast Win32:TrojanX-gen [Trj]
Tencent Win32.Trojan.Generic.Szvz
Ad-Aware Trojan.GenericKD.33875799
Sophos Mal/Generic-S
F-Secure Heuristic.HEUR/AGEN.1116653
DrWeb Trojan.Siggen9.50693
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.MSIL.MALREP.THEBFBO
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine suspicious.low.ml.score
FireEye Generic.mg.5bdf57df940bf393
Emsisoft Trojan.GenericKD.33875799 (B)
Cyren W32/Trojan.MKNW-1182
Avira HEUR/AGEN.1116653
MAX malware (ai score=86)
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:Win32/Occamy.C07
Endgame malicious (high confidence)
ViRobot Trojan.Win32.Z.Kryptik.384512.BP
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.33875799
Acronis suspicious
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.RNDCrypt.MSIL.Generic
ESET-NOD32 a variant of MSIL/Kryptik.VZM
TrendMicro-HouseCall Trojan.MSIL.MALREP.THEBFBO
Rising Trojan.Kryptik!8.8 (CLOUD)
Yandex Trojan.Igent.bTLDSO.47
Ikarus Trojan.MSIL.Agent
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/Kryptik.VCR!tr
AVG Win32:TrojanX-gen [Trj]
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-20 15:12:53

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.