13.0
0-day
46 个模型检测该样本为恶意!
重新分析
更多

ffa7117f714802d684e6ad353bcd947c65d8c08b99c7737fd26c6fe92c4d47c7

9be2c07044dd29bce61679a6d7093b42.exe

分析耗时

121s

最近分析

文件大小

937.5KB
静态报毒 动态报毒 100% 6M0@AGJ47SB AGENSLA AI SCORE=88 CONFIDENCE ELDORADO ESBZ FAREIT FI7UISTX7FV GENERICKD GENKRYPTIK HEAPOVERRIDE HIGH CONFIDENCE HXZU KRYPTIK MALWARE@#SN7CE7OYDV4Z MALWAREX QQPASS QQROB R03BC0GID20 SIGGEN2 TROJANPSW UNSAFE YMACCO ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba TrojanPSW:MSIL/Agensla.210b2575 20190527 0.3.0.5
Avast Win32:MalwareX-gen [Trj] 20200918 18.4.3895.0
Baidu 20190318 1.0.0.2
Kingsoft 20200919 2013.8.14.323
McAfee Fareit-FZV!9BE2C07044DD 20200918 6.0.6.653
Tencent Msil.Trojan-qqpass.Qqrob.Hxzu 20200919 1.0.0.1
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1620808750.92175
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620808800.03075
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620808801.32775
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620808803.39075
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620808803.98375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620813490.824625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 301 个事件)
Time & API Arguments Status Return Repeated
1620808746.71875
IsDebuggerPresent
failed 0 0
1620808746.71875
IsDebuggerPresent
failed 0 0
1620808749.06175
IsDebuggerPresent
failed 0 0
1620808749.56175
IsDebuggerPresent
failed 0 0
1620808750.07775
IsDebuggerPresent
failed 0 0
1620808750.56175
IsDebuggerPresent
failed 0 0
1620808751.07775
IsDebuggerPresent
failed 0 0
1620808751.56175
IsDebuggerPresent
failed 0 0
1620808752.07775
IsDebuggerPresent
failed 0 0
1620808752.56175
IsDebuggerPresent
failed 0 0
1620808753.07775
IsDebuggerPresent
failed 0 0
1620808753.56175
IsDebuggerPresent
failed 0 0
1620808754.07775
IsDebuggerPresent
failed 0 0
1620808754.56175
IsDebuggerPresent
failed 0 0
1620808755.07775
IsDebuggerPresent
failed 0 0
1620808755.56175
IsDebuggerPresent
failed 0 0
1620808756.07775
IsDebuggerPresent
failed 0 0
1620808756.56175
IsDebuggerPresent
failed 0 0
1620808757.07775
IsDebuggerPresent
failed 0 0
1620808757.56175
IsDebuggerPresent
failed 0 0
1620808758.07775
IsDebuggerPresent
failed 0 0
1620808758.56175
IsDebuggerPresent
failed 0 0
1620808759.07775
IsDebuggerPresent
failed 0 0
1620808759.56175
IsDebuggerPresent
failed 0 0
1620808760.07775
IsDebuggerPresent
failed 0 0
1620808760.56175
IsDebuggerPresent
failed 0 0
1620808761.07775
IsDebuggerPresent
failed 0 0
1620808761.56175
IsDebuggerPresent
failed 0 0
1620808762.07775
IsDebuggerPresent
failed 0 0
1620808762.56175
IsDebuggerPresent
failed 0 0
1620808763.07775
IsDebuggerPresent
failed 0 0
1620808763.56175
IsDebuggerPresent
failed 0 0
1620808764.07775
IsDebuggerPresent
failed 0 0
1620808764.56175
IsDebuggerPresent
failed 0 0
1620808765.07775
IsDebuggerPresent
failed 0 0
1620808765.56175
IsDebuggerPresent
failed 0 0
1620808766.07775
IsDebuggerPresent
failed 0 0
1620808766.56175
IsDebuggerPresent
failed 0 0
1620808767.07775
IsDebuggerPresent
failed 0 0
1620808767.56175
IsDebuggerPresent
failed 0 0
1620808768.07775
IsDebuggerPresent
failed 0 0
1620808768.56175
IsDebuggerPresent
failed 0 0
1620808769.07775
IsDebuggerPresent
failed 0 0
1620808769.56175
IsDebuggerPresent
failed 0 0
1620808770.07775
IsDebuggerPresent
failed 0 0
1620808770.56175
IsDebuggerPresent
failed 0 0
1620808771.07775
IsDebuggerPresent
failed 0 0
1620808771.56175
IsDebuggerPresent
failed 0 0
1620808772.07775
IsDebuggerPresent
failed 0 0
1620808772.56175
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1620813495.168625
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\mZHgxzSVWHH"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620808746.73375
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (7 个事件)
Time & API Arguments Status Return Repeated
1620808803.34375
__exception__
stacktrace: 
0x563a28a
0x5639b98
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x5638a3d
0x5637717
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x7950c7
0x79490f
0x7945bd
0x7992aa
0x798a3d
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3

registers.esp: 1688668
registers.edi: 1688692
registers.eax: 0
registers.ebp: 1688708
registers.edx: 8
registers.ebx: 0
registers.esi: 40548952
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 8b 4d d8 ff 15 3c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x563d6a0
success 0 0
1620808804.60875
__exception__
stacktrace: 
0x68fcbaa
0x563a09c
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x5638a3d
0x5637717
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x7950c7
0x79490f
0x7945bd
0x7992aa
0x798a3d
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3

registers.esp: 1687208
registers.edi: 1687248
registers.eax: 3
registers.ebp: 1687264
registers.edx: 0
registers.ebx: 40594680
registers.esi: 40799328
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 2c ff 50 14 39 00 89 45 c8 e9 87 00
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6eb2077
success 0 0
1620808804.74975
__exception__
stacktrace: 
0x563a09c
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x5638a3d
0x5637717
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x7950c7
0x79490f
0x7945bd
0x7992aa
0x798a3d
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65

registers.esp: 1687272
registers.edi: 40808676
registers.eax: 0
registers.ebp: 1688756
registers.edx: 40808676
registers.ebx: 40594680
registers.esi: 40596372
registers.ecx: 40120136
exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f
exception.instruction: cmp dword ptr [eax + 4], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x68fcc94
success 0 0
1620808804.76575
__exception__
stacktrace: 
0x68fd0c7
0x563a09c
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x5638a3d
0x5637717
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x7950c7
0x79490f
0x7945bd
0x7992aa
0x798a3d
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3

registers.esp: 1687196
registers.edi: 1687248
registers.eax: 0
registers.ebp: 1687264
registers.edx: 39962192
registers.ebx: 40594680
registers.esi: 40596372
registers.ecx: 0
exception.instruction_r: 39 09 e8 ec 8f f3 6a 89 45 c8 33 d2 89 55 dc 83
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6eb3451
success 0 0
1620808804.78075
__exception__
stacktrace: 
0x68fd262
0x563a09c
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x5638a3d
0x5637717
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x7950c7
0x79490f
0x7945bd
0x7992aa
0x798a3d
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3

registers.esp: 1687212
registers.edi: 0
registers.eax: 40858832
registers.ebp: 1687264
registers.edx: 1
registers.ebx: 40858276
registers.esi: 40858252
registers.ecx: 40858832
exception.instruction_r: 39 07 68 ff ff ff 7f 6a 00 8b d1 8b cf e8 73 32
exception.instruction: cmp dword ptr [edi], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6eb55fb
success 0 0
1620808806.65575
__exception__
stacktrace: 
0x68fdb62
0x563a09c
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x5638a3d
0x5637717
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x7950c7
0x79490f
0x7945bd
0x7992aa
0x798a3d
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3

registers.esp: 1687168
registers.edi: 1687248
registers.eax: 0
registers.ebp: 1687264
registers.edx: 39962192
registers.ebx: 40594680
registers.esi: 40596372
registers.ecx: 0
exception.instruction_r: 39 09 e8 91 e5 f2 6a 83 78 04 00 0f 84 62 02 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6ebdeac
success 0 0
1620808807.85875
__exception__
stacktrace: 
_vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31
IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141
OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d
ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db
system+0x577bfc @ 0x718e7bfc
system+0x7a0f66 @ 0x70ea0f66
system+0x7a092c @ 0x70ea092c
system+0x7a058e @ 0x70ea058e
system+0x79e700 @ 0x70e9e700
system+0x79d843 @ 0x70e9d843
system+0x79d8b1 @ 0x70e9d8b1
0x715cbd4
0x563930d
system+0x216fb6 @ 0x70916fb6
0x520c95
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
0x715c927
0x563a0c6
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x5638a3d
0x5637717
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd3d0 @ 0x71ecd3d0
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
LogHelp_TerminateOnAssert+0x3adfe StrongNameErrorInfo-0x4d09c clr+0x97856 @ 0x73c27856
LogHelp_TerminateOnAssert+0x3b14b StrongNameErrorInfo-0x4cd4f clr+0x97ba3 @ 0x73c27ba3
LogHelp_TerminateOnAssert+0x3b30d StrongNameErrorInfo-0x4cb8d clr+0x97d65 @ 0x73c27d65
mscorlib+0x2bd689 @ 0x71ecd689
mscorlib+0x2bd37c @ 0x71ecd37c
mscorlib+0x2bbfed @ 0x71ecbfed
mscorlib+0x2c3284 @ 0x71ed3284
0x7950c7
0x79490f
0x7945bd
0x7992aa

registers.esp: 1687396
registers.edi: 3538944
registers.eax: 4294967288
registers.ebp: 1687440
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 3538944
exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84
exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58
exception.instruction: cmp byte ptr [eax + 7], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 499288
exception.address: 0x77da9e58
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (1 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Allocates read-write-execute memory (usually to unpack itself) (50 out of 197 个事件)
Time & API Arguments Status Return Repeated
1620808745.89075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007c0000
success 0 0
1620808745.89075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008d0000
success 0 0
1620808746.39075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00500000
success 0 0
1620808746.39075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00520000
success 0 0
1620808746.49975
NtProtectVirtualMemory
process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1620808746.71875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00610000
success 0 0
1620808746.71875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00660000
success 0 0
1620808746.71875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056a000
success 0 0
1620808746.71875
NtProtectVirtualMemory
process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1620808746.71875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00562000
success 0 0
1620808747.68675
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b2000
success 0 0
1620808747.81175
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e5000
success 0 0
1620808747.82775
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005eb000
success 0 0
1620808747.82775
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e7000
success 0 0
1620808747.96875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b3000
success 0 0
1620808747.98375
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005bc000
success 0 0
1620808748.07775
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00790000
success 0 0
1620808748.39075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b4000
success 0 0
1620808749.06175
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00791000
success 0 0
1620808749.35875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b5000
success 0 0
1620808749.42175
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b7000
success 0 0
1620808749.56175
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b8000
success 0 0
1620808749.70275
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ca000
success 0 0
1620808749.70275
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c7000
success 0 0
1620808750.07775
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ba000
success 0 0
1620808750.71875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b9000
success 0 0
1620808750.89075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e20000
success 0 0
1620808751.01575
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00563000
success 0 0
1620808751.01575
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c6000
success 0 0
1620808751.12475
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cb000
success 0 0
1620808751.28075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00792000
success 0 0
1620808751.29675
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056c000
success 0 0
1620808751.39075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f30000
success 0 0
1620808751.39075
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f31000
success 0 0
1620808751.43675
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00794000
success 0 0
1620808751.56175
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f32000
success 0 0
1620808751.62475
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f33000
success 0 0
1620808751.62475
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00795000
success 0 0
1620808751.65575
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005bd000
success 0 0
1620808751.65575
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f34000
success 0 0
1620808751.67175
NtAllocateVirtualMemory
process_identifier: 884
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00796000
success 0 0
1620808784.87475
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00521000
success 0 0
1620808785.18675
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00799000
success 0 0
1620808785.21875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f35000
success 0 0
1620808785.21875
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079a000
success 0 0
1620808785.32775
NtProtectVirtualMemory
process_identifier: 884
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 273920
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05ae0400
failed 3221225550 0
1620808787.29675
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079b000
success 0 0
1620808787.29675
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079c000
success 0 0
1620808787.31175
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079d000
success 0 0
1620808787.32775
NtAllocateVirtualMemory
process_identifier: 884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0079e000
success 0 0
Steals private information from local Internet browsers (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
Looks up the external IP address (1 个事件)
domain api.ipify.org
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\mZHgxzSVWHH.exe
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\mZHgxzSVWHH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp191C.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZHgxzSVWHH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp191C.tmp"
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\mZHgxzSVWHH.exe
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1620808788.17175
ShellExecuteExW
parameters: /Create /TN "Updates\mZHgxzSVWHH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp191C.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620808808.62475
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.5127569745508245 section {'size_of_data': '0x0008f400', 'virtual_address': '0x00002000', 'entropy': 7.5127569745508245, 'name': '.text', 'virtual_size': '0x0008f274'} description A section with a high entropy has been found
entropy 0.6115261472785486 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1620808748.51575
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\mZHgxzSVWHH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp191C.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZHgxzSVWHH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp191C.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1620808834.48375
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 9be2c07044dd29bce61679a6d7093b42.exe tried to sleep 2728827 seconds, actually delayed analysis time by 2728827 seconds
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp191C.tmp
Harvests credentials from local FTP client softwares (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1620808807.85875
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x00537a32
module_address: 0x06020000
hook_identifier: 13 (WH_KEYBOARD_LL)
failed 0 0
Harvests credentials from local email clients (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Siggen2.55139
MicroWorld-eScan Trojan.GenericKD.34504818
CAT-QuickHeal Trojan.Multi
ALYac Trojan.GenericKD.34504818
Cylance Unsafe
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanPSW:MSIL/Agensla.210b2575
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Trojan.Generic.D20E8072
Invincea Mal/Generic-S
BitDefenderTheta Gen:NN.ZemsilF.34254.6m0@aGJ47sb
Cyren W32/MSIL_Kryptik.BPW.gen!Eldorado
Symantec Trojan.Gen.2
ESET-NOD32 a variant of MSIL/GenKryptik.ESBZ
TrendMicro-HouseCall TROJ_GEN.R03BC0GID20
Avast Win32:MalwareX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.34504818
AegisLab Trojan.Multi.Generic.4!c
Rising Trojan.GenKryptik!8.AA55 (TFE:C:FI7uIstx7FV)
Ad-Aware Trojan.GenericKD.34504818
Comodo Malware@#sn7ce7oydv4z
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R03BC0GID20
McAfee-GW-Edition BehavesLike.Win32.Generic.dh
FireEye Generic.mg.9be2c07044dd29bc
Sophos Mal/Generic-S
Ikarus Trojan.MSIL.Crypt
Webroot W32.Trojan.Gen
MAX malware (ai score=88)
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:Win32/Ymacco.AAFF
ViRobot Trojan.Win32.Z.Heapoverride.960000
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.34504818
McAfee Fareit-FZV!9BE2C07044DD
VBA32 CIL.HeapOverride.Heur
Malwarebytes Trojan.Crypt
APEX Malicious
Tencent Msil.Trojan-qqpass.Qqrob.Hxzu
Fortinet MSIL/GenKryptik.ESBZ!tr
AVG Win32:MalwareX-gen [Trj]
Panda Trj/CI.A
Qihoo-360 Win32/Trojan.c96
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-10 22:31:05

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49189 124.225.105.97 www.download.windowsupdate.com 80
192.168.56.101 49185 54.235.175.90 api.ipify.org 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.