6.8
高危
46 个模型检测该样本为恶意!
重新分析
更多

2733ea44252147c755e8214184d8740fcab0ca6de317b5fbd8f34021d97cd5cb

7067607adedc392a64e881bfb5e3fa58.exe

分析耗时

87s

最近分析

文件大小

431.5KB
静态报毒 动态报毒 AEXR AGENSLA AGENTTESLA AI SCORE=86 AM0@AM10DZK CLOUD CONFIDENCE ELAS GDSDA GENERICKD GENERICRXKR GENKRYPTIK HIGH CONFIDENCE HOSTS KRYPT KRYPTIK MALICIOUS PE PCRYPT QQPASS QQROB R011C0DEP20 SUSGEN TROJANPWS TROJANX UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:MSIL/AgentTesla.64a63c7e 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20200601 18.4.3895.0
Kingsoft 20200601 2013.8.14.323
McAfee GenericRXKR-XS!7067607ADEDC 20200531 6.0.6.653
Tencent Msil.Trojan-qqpass.Qqrob.Aexr 20200601 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619612727.654
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619612728.654
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619612730.389
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619612730.529
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 131 个事件)
Time & API Arguments Status Return Repeated
1619612722.795
IsDebuggerPresent
failed 0 0
1619612725.357
IsDebuggerPresent
failed 0 0
1619612725.857
IsDebuggerPresent
failed 0 0
1619612726.404
IsDebuggerPresent
failed 0 0
1619612726.857
IsDebuggerPresent
failed 0 0
1619612727.404
IsDebuggerPresent
failed 0 0
1619612727.873
IsDebuggerPresent
failed 0 0
1619612728.404
IsDebuggerPresent
failed 0 0
1619612728.873
IsDebuggerPresent
failed 0 0
1619612729.404
IsDebuggerPresent
failed 0 0
1619612729.873
IsDebuggerPresent
failed 0 0
1619612730.404
IsDebuggerPresent
failed 0 0
1619612730.873
IsDebuggerPresent
failed 0 0
1619612731.404
IsDebuggerPresent
failed 0 0
1619612731.873
IsDebuggerPresent
failed 0 0
1619612732.404
IsDebuggerPresent
failed 0 0
1619612732.873
IsDebuggerPresent
failed 0 0
1619612733.404
IsDebuggerPresent
failed 0 0
1619612733.873
IsDebuggerPresent
failed 0 0
1619612734.404
IsDebuggerPresent
failed 0 0
1619612734.873
IsDebuggerPresent
failed 0 0
1619612735.404
IsDebuggerPresent
failed 0 0
1619612735.873
IsDebuggerPresent
failed 0 0
1619612736.404
IsDebuggerPresent
failed 0 0
1619612736.873
IsDebuggerPresent
failed 0 0
1619612737.404
IsDebuggerPresent
failed 0 0
1619612737.873
IsDebuggerPresent
failed 0 0
1619612738.404
IsDebuggerPresent
failed 0 0
1619612738.873
IsDebuggerPresent
failed 0 0
1619612739.404
IsDebuggerPresent
failed 0 0
1619612739.873
IsDebuggerPresent
failed 0 0
1619612740.404
IsDebuggerPresent
failed 0 0
1619612740.873
IsDebuggerPresent
failed 0 0
1619612741.404
IsDebuggerPresent
failed 0 0
1619612741.873
IsDebuggerPresent
failed 0 0
1619612742.404
IsDebuggerPresent
failed 0 0
1619612742.873
IsDebuggerPresent
failed 0 0
1619612743.404
IsDebuggerPresent
failed 0 0
1619612743.873
IsDebuggerPresent
failed 0 0
1619612744.404
IsDebuggerPresent
failed 0 0
1619612744.873
IsDebuggerPresent
failed 0 0
1619612745.404
IsDebuggerPresent
failed 0 0
1619612745.873
IsDebuggerPresent
failed 0 0
1619612746.404
IsDebuggerPresent
failed 0 0
1619612746.873
IsDebuggerPresent
failed 0 0
1619612747.404
IsDebuggerPresent
failed 0 0
1619612747.873
IsDebuggerPresent
failed 0 0
1619612748.404
IsDebuggerPresent
failed 0 0
1619612748.873
IsDebuggerPresent
failed 0 0
1619612749.404
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619612726.935
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1619612730.342
__exception__
stacktrace: 
0x528fe25
0x528f0aa
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa06025
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa02fe0
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x215206 @ 0x720f5206
mscorlib+0x2150ee @ 0x720f50ee
0xa02eb9
0xa02ab8
0xa02a08
0xa029c3
0xa0296a
0xa0065f
0xa005ae
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3856160
registers.edi: 3856188
registers.eax: 0
registers.ebp: 3856204
registers.edx: 158
registers.ebx: 0
registers.esi: 42180404
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 d8 f0 05 71 eb 86 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4ec0399
success 0 0
1619612763.685
__exception__
stacktrace: 
0x4ec25fd
0x528f81f
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa06025
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa02fe0
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x215206 @ 0x720f5206
mscorlib+0x2150ee @ 0x720f50ee
0xa02eb9
0xa02ab8
0xa02a08
0xa029c3
0xa0296a
0xa0065f
0xa005ae
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3854492
registers.edi: 42628352
registers.eax: 42633116
registers.ebp: 3854560
registers.edx: 42633116
registers.ebx: 0
registers.esi: 0
registers.ecx: 1911774966
exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 6f e2 23 6d
exception.instruction: cmp dword ptr [esi], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4ec5f01
success 0 0
1619612763.732
__exception__
stacktrace: 
0x4ec2759
0x528f81f
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa06025
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa02fe0
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x215206 @ 0x720f5206
mscorlib+0x2150ee @ 0x720f50ee
0xa02eb9
0xa02ab8
0xa02a08
0xa029c3
0xa0296a
0xa0065f
0xa005ae
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3854484
registers.edi: 3854544
registers.eax: 0
registers.ebp: 3854560
registers.edx: 3854452
registers.ebx: 42278312
registers.esi: 42711440
registers.ecx: 0
exception.instruction_r: 39 09 e8 0a c7 19 6d 89 45 b8 b8 32 ec 78 4e 35
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4ec8117
success 0 0
1619612763.998
__exception__
stacktrace: 
0x4ec295b
0x528f81f
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa06025
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa02fe0
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x215206 @ 0x720f5206
mscorlib+0x2150ee @ 0x720f50ee
0xa02eb9
0xa02ab8
0xa02a08
0xa029c3
0xa0296a
0xa0065f
0xa005ae
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3854504
registers.edi: 3854544
registers.eax: 205282999
registers.ebp: 3854560
registers.edx: 9
registers.ebx: 42278312
registers.esi: 2052829999
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 69 c6 18 d9 0e e7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x62e55bf
success 0 0
1619612764.217
__exception__
stacktrace: 
0x528f81f
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa06025
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa02fe0
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x215206 @ 0x720f5206
mscorlib+0x2150ee @ 0x720f50ee
0xa02eb9
0xa02ab8
0xa02a08
0xa029c3
0xa0296a
0xa0065f
0xa005ae
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3854568
registers.edi: 1219764357
registers.eax: 0
registers.ebp: 3856252
registers.edx: 3
registers.ebx: 42278312
registers.esi: 1524798387
registers.ecx: 12
exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 f8 f9 ff ff
exception.instruction: cmp dword ptr [eax + 8], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4ec2f0c
success 0 0
1619612770.592
__exception__
stacktrace: 
0x4ec3975
0x528f81f
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa06025
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x21525f @ 0x720f525f
mscorlib+0x2150ee @ 0x720f50ee
0xa02fe0
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
GetMetaDataInternalInterface+0xa329 _CorDllMain-0x35ac mscorwks+0x16545c @ 0x7409545c
GetMetaDataInternalInterface+0xa487 _CorDllMain-0x344e mscorwks+0x1655ba @ 0x740955ba
mscorlib+0x215458 @ 0x720f5458
mscorlib+0x215206 @ 0x720f5206
mscorlib+0x2150ee @ 0x720f50ee
0xa02eb9
0xa02ab8
0xa02a08
0xa029c3
0xa0296a
0xa0065f
0xa005ae
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3854456
registers.edi: 0
registers.eax: 0
registers.ebp: 3854560
registers.edx: 3854424
registers.ebx: 0
registers.esi: 1179185126
registers.ecx: 0
exception.instruction_r: 39 09 e8 a5 35 ae 6b 83 78 04 00 0f 84 16 04 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x658127c
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 个事件)
Time & API Arguments Status Return Repeated
1619612721.545
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1619612721.545
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00440000
success 0 0
1619612722.529
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619612722.795
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ca000
success 0 0
1619612722.81
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619612722.81
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c2000
success 0 0
1619612723.514
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d2000
success 0 0
1619612723.826
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d3000
success 0 0
1619612723.842
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040b000
success 0 0
1619612723.842
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1619612723.873
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003dc000
success 0 0
1619612724.06
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a00000
success 0 0
1619612724.654
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619612724.935
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619612725.029
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f2000
success 0 0
1619612725.154
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d4000
success 0 0
1619612725.185
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00405000
success 0 0
1619612725.56
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d5000
success 0 0
1619612725.67
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619612725.67
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ea000
success 0 0
1619612725.67
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619612725.67
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003cb000
success 0 0
1619612725.732
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e6000
success 0 0
1619612725.81
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a01000
success 0 0
1619612725.998
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04890000
success 0 0
1619612726.17
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00441000
success 0 0
1619612726.404
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04891000
success 0 0
1619612726.67
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a03000
success 0 0
1619612726.795
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d8000
success 0 0
1619612726.81
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04fa0000
success 0 0
1619612726.81
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05020000
success 0 0
1619612726.81
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05021000
success 0 0
1619612726.842
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05022000
success 0 0
1619612726.842
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05023000
success 0 0
1619612726.842
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05024000
success 0 0
1619612726.842
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05026000
success 0 0
1619612726.842
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05028000
success 0 0
1619612726.842
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0502c000
success 0 0
1619612726.857
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d9000
success 0 0
1619612726.873
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a04000
success 0 0
1619612726.873
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0503d000
success 0 0
1619612726.873
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a05000
success 0 0
1619612726.889
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0503e000
success 0 0
1619612726.951
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a06000
success 0 0
1619612727.076
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04eb0000
success 0 0
1619612727.076
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04eb1000
success 0 0
1619612727.076
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04eb3000
success 0 0
1619612727.107
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05280000
success 0 0
1619612727.107
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 57344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05281000
success 0 0
1619612727.232
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0528f000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619612764.498
CreateProcessInternalW
thread_identifier: 2840
thread_handle: 0x0000046c
process_identifier: 2576
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000480
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.912321295344511 section {'size_of_data': '0x0006b600', 'virtual_address': '0x00002000', 'entropy': 7.912321295344511, 'name': '.text', 'virtual_size': '0x0006b564'} description A section with a high entropy has been found
entropy 0.9965197215777262 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619612724.795
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline "netsh" wlan show profile
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
A process attempted to delay the analysis task. (1 个事件)
description 7067607adedc392a64e881bfb5e3fa58.exe tried to sleep 2728428 seconds, actually delayed analysis time by 2728428 seconds
Harvests credentials from local FTP client softwares (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Harvests credentials from local email clients (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)
MicroWorld-eScan Trojan.GenericKD.33892170
CAT-QuickHeal Trojanpws.Msil
ALYac Trojan.GenericKD.33892170
Cylance Unsafe
K7AntiVirus Trojan ( 005674c81 )
Alibaba TrojanSpy:MSIL/AgentTesla.64a63c7e
K7GW Trojan ( 005674c81 )
Cybereason malicious.61d978
Arcabit Trojan.Generic.D205274A
TrendMicro TROJ_GEN.R011C0DEP20
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.33892170
Paloalto generic.ml
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Ad-Aware Trojan.GenericKD.33892170
Sophos Mal/Generic-S
DrWeb Trojan.Hosts.47613
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
FireEye Generic.mg.7067607adedc392a
Emsisoft Trojan.GenericKD.33892170 (B)
SentinelOne DFI - Malicious PE
Jiangmin Trojan.PSW.MSIL.zya
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft TrojanSpy:MSIL/AgentTesla.SM!MTB
Endgame malicious (high confidence)
AegisLab Trojan.MSIL.Agensla.i!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.33892170
Acronis suspicious
McAfee GenericRXKR-XS!7067607ADEDC
MAX malware (ai score=86)
Malwarebytes Trojan.PCrypt.MSIL.Generic
ESET-NOD32 a variant of MSIL/Kryptik.WAO
TrendMicro-HouseCall TROJ_GEN.R011C0DEP20
Tencent Msil.Trojan-qqpass.Qqrob.Aexr
Ikarus Trojan.MSIL.Krypt
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Agensla.ELAS!tr.pws
BitDefenderTheta Gen:NN.ZemsilF.34122.Am0@am10dzk
AVG Win32:TrojanX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 Generic/Trojan.PSW.374
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-23 10:40:13

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50003 239.255.255.250 3702
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 63432 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.