SmartHawk

2.3

中危

55 个模型检测该样本为恶意！

重新分析

下载样本

07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d

07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d.exe

分析耗时

274s

最近分析

398天前

文件大小

133.8KB

静态报毒动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN DOWNLOADER UPATRE

DACN 0.14

FACILE 1.00

IMCLNet 0.77

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.14	Unknown	0.07s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.77	Unknown	0.21s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	None	20190527	0.3.0.5
Avast	Win32:Malware-gen	20191005	18.4.3895.0
Baidu	Win32.Trojan.Kryptik.lg	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20191005	2013.8.14.323
McAfee	Downloader-FAWW!B35B8FA9BC3C	20191005	6.0.6.653
Tencent	None	20191005	1.0.0.1

查询计算机名称 (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545323.140875 GetComputerNameW	computer_name: TU-PC	success	1	0
1727545332.797 GetComputerNameW	computer_name: TU-PC	success	1	0

一个或多个进程崩溃 (22 个事件)

Time & API	Arguments	Status
1727545313.421875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 658505728 registers.edx: 3221225610 registers.ebx: 2130567168 registers.esp: 1637600 registers.ebp: 1637620 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.421875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637632 registers.ebp: 1637652 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.421875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637664 registers.ebp: 1637684 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.421875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637696 registers.ebp: 1637716 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.421875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637728 registers.ebp: 1637748 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.421875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637760 registers.ebp: 1637780 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.421875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637792 registers.ebp: 1637812 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.421875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637824 registers.ebp: 1637844 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.437875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637856 registers.ebp: 1637876 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.437875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637888 registers.ebp: 1637908 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x18fc @ 0x4018fc 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545313.437875 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637920 registers.ebp: 1637940 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1905 @ 0x401905 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1a4a @ 0x401a4a 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x1d83 @ 0x401d83 07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1287454720 registers.edx: 3221225610 registers.ebx: 2130567168 registers.esp: 1637600 registers.ebp: 1637620 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637632 registers.ebp: 1637652 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637664 registers.ebp: 1637684 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637696 registers.ebp: 1637716 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637728 registers.ebp: 1637748 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637760 registers.ebp: 1637780 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637792 registers.ebp: 1637812 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637824 registers.ebp: 1637844 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637856 registers.ebp: 1637876 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637888 registers.ebp: 1637908 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x18fc @ 0x4018fc cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success
1727545323.485 __exception__	exception.address: 0x775a22c2 exception.instruction: btr dword ptr [eax], 0 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.exception_code: 0xc0000005 registers.eax: 32 registers.ecx: 1995019596 registers.edx: 998 registers.ebx: 2130567168 registers.esp: 1637920 registers.ebp: 1637940 registers.esi: 32 registers.edi: 28 stacktrace: FindClose+0x3a FindFirstFileExW-0xa0 kernelbase+0x194b4 @ 0x76e994b4 cwipnyon+0x1905 @ 0x401905 cwipnyon+0x1a4a @ 0x401a4a cwipnyon+0x1d83 @ 0x401d83 cwipnyon+0x2125 @ 0x402125 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success

分配可读-可写-可执行内存（通常用于自解压） (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545322.109875 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x00400000 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 2948	success	0	0
1727545331.782 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x00400000 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 1260	success	0	0

在 PE 资源中识别到外语 (6 个事件)

name

RT_ICON

language

LANG_RUSSIAN

filetype

None

sublanguage

SUBLANG_RUSSIAN

offset

0x000215a0

size

0x00000468

name

RT_ICON

language

LANG_RUSSIAN

filetype

None

sublanguage

SUBLANG_RUSSIAN

offset

0x000215a0

size

0x00000468

name

RT_ICON

language

LANG_RUSSIAN

filetype

None

sublanguage

SUBLANG_RUSSIAN

offset

0x000215a0

size

0x00000468

name

RT_DIALOG

language

LANG_RUSSIAN

filetype

None

sublanguage

SUBLANG_RUSSIAN

offset

0x00021b58

size

0x000000aa

name

RT_GROUP_ICON

language

LANG_RUSSIAN

filetype

None

sublanguage

SUBLANG_RUSSIAN

offset

0x00021a08

size

0x00000030

name

RT_VERSION

language

LANG_RUSSIAN

filetype

None

sublanguage

SUBLANG_RUSSIAN

offset

0x00021a38

size

0x0000011c

在文件系统上创建可执行文件 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\cwipnyon.exe

投放一个二进制文件并执行它 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\cwipnyon.exe

将可执行文件投放到用户的 AppData 文件夹 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\cwipnyon.exe

一个进程创建了一个隐藏窗口 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545323.296875 ShellExecuteExW	filepath: C:\Users\Administrator\AppData\Local\Temp\cwipnyon.exe filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\cwipnyon.exe parameters: show_type: 0	success	1	0

与未执行 DNS 查询的主机进行通信 (2 个事件)

host	114.114.114.114
host	8.8.8.8

文件已被 VirusTotal 上 55 个反病毒引擎识别为恶意 (50 out of 55 个事件)

ALYac	Trojan.Agent.BLMG
APEX	Malicious
AVG	Win32:Malware-gen
Ad-Aware	Trojan.Agent.BLMG
AhnLab-V3	Trojan/Win32.Upatre.R160436
Antiy-AVL	Trojan/Win32.BTSGeneric
Arcabit	Trojan.Agent.BLMG
Avast	Win32:Malware-gen
Avira	TR/Dldr.Upatre.NN
Baidu	Win32.Trojan.Kryptik.lg
BitDefender	Trojan.Agent.BLMG
CAT-QuickHeal	TrojanDownloader.Upatre.RF4
Comodo	TrojWare.Win32.TrojanDownloader.Upatre.DLF@5t0aja
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.9bc3ce
Cylance	Unsafe
Cyren	W32/Upatre.CG
DrWeb	Trojan.Upatre.6020
ESET-NOD32	a variant of Win32/Kryptik.DRSE
Emsisoft	Trojan.Agent.BLMG (B)
Endgame	malicious (high confidence)
F-Prot	W32/Upatre.CG
F-Secure	Trojan.TR/Dldr.Upatre.NN
FireEye	Generic.mg.b35b8fa9bc3ceed0
Fortinet	W32/Kryptik.DRLD!tr
GData	Trojan.Agent.BLMG
Ikarus	Trojan.Win32.Crypt
Invincea	heuristic
Jiangmin	TrojanDownloader.Upatre.rsq
K7AntiVirus	Trojan ( 004c9af51 )
K7GW	Trojan ( 004c9af51 )
Kaspersky	HEUR:Trojan.Win32.Generic
MAX	malware (ai score=83)
McAfee	Downloader-FAWW!B35B8FA9BC3C
McAfee-GW-Edition	BehavesLike.Win32.Dropper.cz
MicroWorld-eScan	Trojan.Agent.BLMG
Microsoft	TrojanDownloader:Win32/Upatre
NANO-Antivirus	Trojan.Win32.Upatre.duomhy
Panda	Trj/Genetic.gen
Qihoo-360	HEUR/QVM07.1.58B7.Malware.Gen
Rising	Malware.FakePDF@CV!1.A24A (CLASSIC)
SUPERAntiSpyware	Trojan.Agent/Gen-Upatre
SentinelOne	DFI - Suspicious PE
Sophos	Troj/Upatre-RY
Symantec	Downloader.Upatre!g14
Trapmine	malicious.moderate.ml.score
TrendMicro	TROJ_UPATRE.SMJTU
TrendMicro-HouseCall	TROJ_UPATRE.SMJTU
VBA32	TrojanDownloader.Upatre
VIPRE	Trojan.Win32.Generic.pak!cobra

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2015-07-29 16:40:21

PE Imphash

da116dfc3bf1a272eb9f4943bcfadaa5

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x000073e2	0x00008000	6.025893596578432
.rdata	0x00009000	0x00001670	0x00002000	2.6371341097671444
.data	0x0000b000	0x00014da8	0x00014000	1.6191123935506073
.rsrc	0x00020000	0x00001c08	0x00002000	5.116861333025444

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_ICON	0x000215a0	0x00000468	LANG_RUSSIAN	SUBLANG_RUSSIAN	None
RT_ICON	0x000215a0	0x00000468	LANG_RUSSIAN	SUBLANG_RUSSIAN	None
RT_ICON	0x000215a0	0x00000468	LANG_RUSSIAN	SUBLANG_RUSSIAN	None
RT_DIALOG	0x00021b58	0x000000aa	LANG_RUSSIAN	SUBLANG_RUSSIAN	None
RT_GROUP_ICON	0x00021a08	0x00000030	LANG_RUSSIAN	SUBLANG_RUSSIAN	None
RT_VERSION	0x00021a38	0x0000011c	LANG_RUSSIAN	SUBLANG_RUSSIAN	None

Imports

Library KERNEL32.dll:

• 0x409014 RemoveDirectoryW

• 0x409018 GetTickCount

• 0x40901c CloseHandle

• 0x409020 GetLastError

• 0x409024 GetFileAttributesW

• 0x409028 GetFileAttributesA

• 0x40902c WaitForSingleObject

• 0x409030 GetModuleHandleA

• 0x409034 TerminateThread

• 0x409038 VirtualAlloc

• 0x40903c GetThreadPriority

• 0x409040 CreateEventW

• 0x409044 OpenSemaphoreA

• 0x409048 LCMapStringW

• 0x40904c LCMapStringA

• 0x409050 GetStringTypeW

• 0x409054 GetStringTypeA

• 0x409058 MultiByteToWideChar

• 0x40905c RaiseException

• 0x409060 SetFilePointer

• 0x409064 Sleep

• 0x409068 GetProcAddress

• 0x40906c LoadLibraryW

• 0x409070 OpenMutexW

• 0x409074 FindClose

• 0x409078 FlushFileBuffers

• 0x40907c LoadLibraryA

• 0x409080 GetStartupInfoA

• 0x409084 GetCommandLineA

• 0x409088 GetVersion

• 0x40908c ExitProcess

• 0x409090 HeapReAlloc

• 0x409094 HeapAlloc

• 0x409098 TerminateProcess

• 0x40909c GetCurrentProcess

• 0x4090a0 HeapSize

• 0x4090a4 UnhandledExceptionFilter

• 0x4090a8 GetModuleFileNameA

• 0x4090ac FreeEnvironmentStringsA

• 0x4090b0 FreeEnvironmentStringsW

• 0x4090b4 WideCharToMultiByte

• 0x4090b8 GetEnvironmentStrings

• 0x4090bc GetEnvironmentStringsW

• 0x4090c0 SetHandleCount

• 0x4090c4 GetStdHandle

• 0x4090c8 GetFileType

• 0x4090cc HeapDestroy

• 0x4090d0 HeapCreate

• 0x4090d4 VirtualFree

• 0x4090d8 HeapFree

• 0x4090dc RtlUnwind

• 0x4090e0 WriteFile

• 0x4090e4 GetCPInfo

• 0x4090e8 GetACP

• 0x4090ec GetOEMCP

• 0x4090f0 SetStdHandle

Library USER32.dll:

• 0x4090f8 LoadIconA

• 0x4090fc ShowWindow

• 0x409100 LoadBitmapA

• 0x409104 LoadCursorW

• 0x409108 MessageBoxW

• 0x40910c ReleaseDC

Library GDI32.dll:

• 0x409008 CreatePen

• 0x40900c SelectObject

Library ADVAPI32.dll:

• 0x409000 OpenServiceW

Library WinSCard.dll:

• 0x409114 SCardForgetReaderW

L!This program cannot be run in DOS mode.
cOn0On0On0;S`0On0PPd0On0P}0On0Oo0On0PPe0On0
Ih0On0RichOn0
`.rdata
@.data
rtualAllocEx
EE_^[]
U SVWE
jUPEE_^[]U,SVWE
R<$tPf<$
X_[^3^
It.ht lt
HHtpHHtl
YAE t!E@E
t;ERPWVEU9
~;E]xf
CPEPCS
YY~2MQu
E_^[#@
KVW~&|$
t*f u!f t
]EuMm]E
eYt,F=`A
@H80t8
X3UQQ}
A80t<^
VWt*DA
GY}(=@A
_^][USVW}
Fu FSu
_^[]t$
wDVSU(
Yt$CH;r
tACH;r
Yu3Vt$
YtF>"u
< v^S39
PqY;5tA
8t9UWY
YE?=t"U<;Y
8u]5$A
[UQQS39
EPEPSSWM
YEPEPE
@"t)t%
F8"uF@C
@C8"u,
VW333;u3
SS@SSPVSSD$4
t#SSUPt$$VSS
;t<8t
u+@UY;u
3_^][YY
DSUVWh
_^][D3j
XUSVWUj
Pjht>@
t.;t$$t(4v
VC20XC00U
]_^[]UL$
YY\WP\
@Y<v)\P
3^SVt$
>+~&WPv
YSVW33395A
tAt2t$
_WPSc#
^[]SVt$
_^[3VWj
|_^UXE
t+Ht$Ht
HtHHt
Y_^[UQV}u:
ARV5PA
;^}%95`A
Vj YjD$
SVWj \$
<WjYj
X+P7y*
}_^[UQQE
SVWxj Ye
<3E_^[
Ju^W|$
SVWj }
Eu&E3P
EPEPvEVPw
@PEP 3|;|(EPVw
IYY3jY+O
1_^[hpA
3PPPPu
3PPPPu
EP$W|$
Wz@PWV
r)$XR@
DDDDDDDDDDDDDD
j?UIZ;
r;]uy;
;uY;]s
pD#U#ue
j #M_|
]#\D\D
VW3;u0DP
X_^[UWVu
DDDDDDDDDDDDDD
t$VYVt
90tr0B=A
j@3Y@A
@j@3Y@A
@;vAA9
Wj@Y3@A
 t7SWU
BBBu_[j
VPVPV5DA
@AA;rI3
VWuBh8@
;tg5h@
GIt%t)
Gt/KuD$
GKu[^D$
:t4VRV&
@@_^[]U
;}+]t
3;u>EPj
E;tc]<
euWSV=
e33M;t)uVu
_^[Ujh
SVWe39=
"WWSh@
M]9}tfSuu
tMWWSuu
Mu;tVSuuu
3;VEN@
}SpSjEPS
YfE^fC
[U\SVW}
+t1-t,0tRC
VPmYYj
+ttHHtd
XO0uD} 
MEEPEuPjE3
33333333E
#fWEEEEEEEEEEEE?E
NfUkM}
EFPEPL
EPnNYuO
PEPEPEM
E_^[;r
t78t2=<A
SUVW|$
tiW%Yt<
_^][Vt$
fEEUQQE
u5}u,e
rYY39M
`h````
ppxxxx
(null)
GAIsProcessorFeaturePresent
KERNEL32
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
_hypot
1#QNAN
1#SNAN
FindClose
GetProcAddress
LoadLibraryW
GetThreadPriority
RemoveDirectoryW
GetTickCount
CloseHandle
GetLastError
GetFileAttributesW
GetFileAttributesA
WaitForSingleObject
GetModuleHandleA
TerminateThread
VirtualAlloc
OpenMutexW
CreateEventW
OpenSemaphoreA
KERNEL32.dll
LoadIconA
ReleaseDC
MessageBoxW
LoadCursorW
LoadBitmapA
ShowWindow
USER32.dll
CreatePen
SelectObject
GDI32.dll
OpenServiceW
ADVAPI32.dll
SCardForgetReaderW
WinSCard.dll
GetStartupInfoA
GetCommandLineA
GetVersion
ExitProcess
HeapReAlloc
HeapAlloc
TerminateProcess
GetCurrentProcess
HeapSize
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
WriteFile
GetCPInfo
GetACP
GetOEMCP
LoadLibraryA
FlushFileBuffers
SetFilePointer
RaiseException
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
SetStdHandle
jvaIiy{uubri*
x"!"!/
>LNXYhrLN
h5LN>h>@LN
h>LN.h>\N
LN,h>LN
i}vtrezuN[nyHenji
[zutiuiW
reziHrgly~iz|kh-Wezo~uuzpumi[uepxJ|{}WPGzfunkmziLwitQoreurqu>GixZqxnytg
i{snzLwithuzmopgNluXirizuxmliL{tngp{|q>Srii
tymruro{h
ptjprjrTllikqxu{TuhfiNxmnzf
jprP[vuYxikyiW
wpipizjrnuptizpzougnz|ypnikzgNUptnixKo{yRzliLmptySixOzop>IpxiplzFmpi]pxoepiy>Hzx~cizlesxWN3i
:`x3OlhKXx3hK
jhKux3>x+X^hU
F:LhKu.
heQ9.N
IeiPyU
VlJViKP^hUhi^
nx;+_+_
rKzKh)
Hdr;+?
;RhtfV
;_xK+{
h>nNiBM$ y
z:x3u^
K[:H^lU
'iLXtNi l/fMvi>-<hK/Z^;Rt,tXjVnhSfR^f+;p
tctfxfx+6NvhSfZdOx+l<fn^_h
tiPKhMx3
thnUVI
h>VKv|E>`ev(
hQlJvN^
|tmixYN5h>
rh6&VE>9:N
tjeUXd>7
(jtNepXh
YllKeXUY^-
UH~EyV+
A(WlM]4
u7x85i3Y
izN3QZ
y.ifUri
fVlJWK
Bh=MFtu~U
tu^lryhe
]hVhgiYI
O$l>A-Ky
Xygu~U
yF3Yy+xBjUU
w`MHu +
Kf+YtmUbKe
j6UriyXK
1ULY:Ji2
EK+FJd
oMu;EJ-
}2ghMU
Z<x85i
yzjrftvh>V
KPQfuu2gW
y4Yjenh9LUnjiC
WggY^fi
Li3Yij
>NtinU:
p{FNKS,(
8HvfL~|}gxgEzs
||||A>jVL`u
zB;z}~];,Kl
vv}^BHX;^g`_?K
z~vjxx~BKf{eB>KA&,^uuz&A7x|crAvshT3'4hxyz|isv>|ptu{xLA==T2BtIAwreL)>=]-NJ]gtm*=JAABtIAwreLA9=S*BtIAwreL)=GAANJ]gtm'>=\*NJ]gtm+ADW,)Bz\gzm*AH[ANJ]gtm*AGSABtIAwreLAAKW'zz<=a*A8=],BtIAwreLA7=\'BtIAwreLA>I^(BtIAwreLA<=\&BtIAwreLA7=]*NJ]gtm*AJY('Bz\gzm*ASA*NJ]gtm*8=\*NJ]gtm(<HAANJ]gtm*AJTA-Bz\gzm3AGT-3
tg|N8J^+,;<Agm:=S*-
tg|N7IW)'
tg|N<=\-A=hBr-|
SA-A;hBr-|
GAAA=<Agm<SAA+>hBr-|
GAA*<I>tt*gz}JT+,9I]zzAyh\-A7=\@z,Awz3(AHY'zz<=a2,<JZL
|=u(+AIT&zz<=a)-9RYL
|=u(-ARZL
|=u2A;SXzzAyhY-)AE^zzAyh]'-3JZx|-w>*A=EWzzAyhZ(-;JWx|-w>-A8=]@z,AwzA(<=\@z,AwzA-<KA@z,Awz3,ASA@z,Awz-(AST,zz<=a(,<RAL
|=u(-AK\L
|=u+-ARAL
|=u(-AK\-zz<=a
(LvRNm>vNNY>vZNU>vVNa>vbN]>v^NI>v*NE>v&NQ>v2NM>v.N9>v:N5>v6NA>vB
N=>v>NZ>vKNV>vGNR>vSNN>vONj>v[Nf>vWNb>vcN^>v_Nz>vjkNv>vfgNr>vrsNn>vnoN
;hGaIZDS>L#E
~}|Awvu:~pon3xihg,rba`%l[ZY
N876H10/B*)((""!s
fz]sYlTe@^GW@P
h&saZ
{zy>tsr7mlk0fed)_^]"XWV
g<;:a543[.-,U'&%qO 
1t~+5w%p.<i(Hb"J[
fwwv;`ppo4Ziih-Tbba&N[[ZHTTS
0887*1100}+*)nw$#"q
S[{MVtG]mAVf;
{}}|Auvvu:ooon3ihhg,caa`%][ZY
?876910//r}njfba^Z
4ey.br(Mk")d
#A|:u3
Xyyx=Rrrq6Lkkj/Fddc(@]]\!:VVU
,,++njfb^ZAVsRwNsJ
h<]0ukY=dSG]M?VG-OA3H;%A5|:/
ssrrqpoY|
_100.q
.$#"su
'M>GJ|wz9;t=89kfi`
&`!#%W
2-[0''
qpodidQV[VTTS
BGB@@?
::9|.3.u
1+:)(sJ( o
y[0rUkO4dI
H1A+|:%u3oz*q["k
3ggffedca^]\]XWVTSNJJIIFD/A@?=<963
0,,+&&%u#!
?^\ZB/m&be d%
~0){&2ar,-#P"eI
,Fe|{zy?ssrrqpo5XkjihRoK#aEGDX\
QPON6JIH2FSA@?9988F432
9<*)(s
>w94_b
9wZXML~E
bba(O^]\[
MMLTH`LCBA
('&%h! 
|=yB;q|vmfp,o^
UNCWXZ
>_2l 41)
lz~+&Nkji`edcs
BBAP;;:
u0hcdUX[J
Q7@Ic:2sp
Za`_^]\
~}|B]xwvu;Zqpon4gjihg-<ba`e:7\V
303A/.-p&u/)mDo
=B~G+@
`.ng\"p)m.j3[b-a
?97T41
fnml)`
m5sgYUvl[u#l+kQ
F<}3E<n
C)g"3k!#e
QeTM?}6ru0t5!2Vl52f
xwvvuts9onml2hgfe+a`_^$ZYXW
J54w0/.-p)('&i"! b
{zyyxwv
{<6elkji^
A3%ICRA@
z w)0/.-p"
$#""]k
>C?wy<xAmp;
8W;0m3n
rWKV+*)(
mEiL@ua)g[)4
;R?N3f
*L<5u.p+o0j-i2d/c
rDczyxwa~Z2pTeNlR`C [XB7
5<;:9|
qspa#je
>-@nozCW
t-qqh+g0Da
vcevyx;^rqpbP,hgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"! 
Ix@oGAkU'9p|B
~QCv)/&D(
uuvHMXB
9;5SM]=];Z] T7aZ%]g']
?Zd;On
7?3=Bz
;1az?aUY~S|
D?$?9'
*?}d|FU>c{
zc%C1<!8G
u7.:3q
#2IZ9W
,%I-64OSk%Y
JJJIJJIIJHJIHJJIJIHJIHJIHJIHJIHJI
R^W`S[1<DM+8=F-:+8+7t{
*DPALsz&6
.`gX]1HU
W^"49KQ`
Q`"6%8am
@gfhgfhfgfeifehhifjffgeifeifeifeifeifeifeifeifeifeifeifeifeifeifeifeif@
:@/4qro
BSn|t{sro
9FjoxFS8Aopm
"2$/UcYhWdNSopo
@P'9mmm
FX"5mmm
@SL[mmm
9Q%6lnk
PQT73@ #
AIBJFMCI@IBHDJBJEODMEOCKBICK>C444#"
#)0QU7?
z}{oqsnqn@!#
$ry4<\d4A
!"# *!1
*rw^l^i5>
(EN!/"2/"3"3 /
!#"&"&"2.rxbk
* 0#4$/#4
#'#'#5$5%8-<CM4>"10@AM:F!1#1DQCPAN$3$3$2#1%4,
|}y}{|
#)019DJ,4<C-6,4+4txkkl 
'ENAJqw&1
(`d ",GQ|7C-._f
"%"08FQ\<HQ\"2#2ai
%@"0@{p
kernel32.dll
lkewrtewrljl;
hjkjhkj;l';'re
(null)
         (((((                  H
AAAAAAAAAAA
AAAAAAAAAAA
VS_VERSION_INFO
StringFileInfo
041924b2
BuildVersion
7, 17, 22, 129
VarFileInfo
Translation
Dialog
Times new roman
Cancel
C:\temp\07\QH\PE\part2\TrojanDownloader\Upatre\r4\a7fc6398afea99f9d2c502e0d8476b2f.EXE
C:\1dc48d9c8e26fb7f41bcccf7c7126c90e3288c82130154e6b6c754c0ef37ce0d
C:\5765d7f38831917f41eab5beff2ee53ddf41579a11d8b9182b8d4e8a75b863b8
C:\Users\admin\Downloads\cwipnyon.exe
C:\c22de2dd9d2b2af86c1ac4ab62daac5ec1ae62b6e1623d049c11fea93c0b3171
C:\564ecd34d9dbd32ed2d58bb65160fb115856869eda6bf99d7a8690ec1c4cb8b6
C:\Users\admin\Downloads\cwipnyon.exe
C:\318bdda5d2baeee60fde03b642be4a3e99746069326daa7f4fa971c58a679b15
C:\Users\admin\Downloads\cwipnyon.exe
C:\e4a6223fa66f18562c4272757227c8f780b1625c113c38b2e2384590362c967b
C:\Users\admin\Downloads\cwipnyon.exe
C:\a7ac54ad4389b772aa24d503c3a8a4c699430c6d260ed9f721187539f2128646
C:\Users\admin\Downloads\cwipnyon.exe
C:\152782c4ff7df306515dc94d978f2f3478c3126c2c3f7f7710b2d2815de027e9
C:\Users\admin\Downloads\cwipnyon.exe
C:\8c98c27cfd8a2d479e369aa30bf41fce4761451698bed669ca4669b53741bb7f

Process Tree

07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d.exe (2948) "C:\Users\Administrator\AppData\Local\Temp\07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d.exe"
- cwipnyon.exe (1260) "C:\Users\ADMINI~1\AppData\Local\Temp\cwipnyon.exe"

07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d.exe, PID: 2948, Parent PID: 1064

default registry file network process services synchronisation iexplore office pdf

cwipnyon.exe, PID: 1260, Parent PID: 2948

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114
8.8.8.8

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255 A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	61714	8.8.8.8	53
192.168.56.101	56933	8.8.8.8	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53
192.168.56.101	58485	8.8.8.8	53
192.168.56.101	57665	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	cb13b48b83efa682_cwipnyon.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\cwipnyon.exe
Size	134.0KB
Processes	2948 (07ef4dbf4d0acac3522151118dcc798fd4f497781b25572eef50d7d3a90b094d.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`25dd094490057e3f37ae6016df6bf764`
SHA1	`ac4856dbdae52973c3061d88ab9fcd9fbe8736d1`
SHA256	`cb13b48b83efa6823f771ea82daba362bcbdcc344c212b4c63aa780322bae654`
CRC32	`CE7399D4`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.