13.8
0-day
48 个模型检测该样本为恶意!
重新分析
更多

bf9caae4940f91401db499ed61a89d3e5ed867bc846f229cced95288739f8dc6

d9a806cbd0892008214dc9d7ea929e42.exe

分析耗时

88s

最近分析

文件大小

1.1MB
静态报毒 动态报毒 AGENSLA AI SCORE=86 ALI1000123 ARTEMIS AUTOIT CONFIDENCE GENERIC@ML GENERICKD HIGH CONFIDENCE HNMWAR MALITRAR MALWARE@#UUMVER4Q1TZV NANOCORE NMMXO ODRX PROBABLY HEUR QQPASS QQROB R002C0DGB20 R343019 RARAUTORUN RDMK RUNNER SCORE SWV1ST101YYDDPD9MW TQA8 TSGENERIC UNSAFE WACATAC WTNK 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!D9A806CBD089 20200722 6.0.6.653
Alibaba Trojan:Win32/runner.ali1000123 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20200722 18.4.3895.0
Kingsoft 20200722 2013.8.14.323
Tencent Msil.Trojan-qqpass.Qqrob.Wtnk 20200722 1.0.0.1
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619965865.1605
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619965866.3485
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619965867.9575
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619965868.1605
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619965841.27
IsDebuggerPresent
failed 0 0
1619965841.27
IsDebuggerPresent
failed 0 0
1619965852.2075
IsDebuggerPresent
failed 0 0
1619965852.2075
IsDebuggerPresent
failed 0 0
This executable has a PDB path (1 个事件)
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619965841.426
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .gfids
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name PNG
One or more processes crashed (8 个事件)
Time & API Arguments Status Return Repeated
1619965849.879
__exception__
stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x77d5e003
GlobalFree+0x27 GlobalAlloc-0x11f kernelbase+0x13e88 @ 0x778f3e88
nmmxo+0x10ccd @ 0xe10ccd
nmmxo+0x7536e @ 0xe7536e
nmmxo+0x7557a @ 0xe7557a
nmmxo+0x3fa6 @ 0xe03fa6
nmmxo+0x8f8d @ 0xe08f8d
nmmxo+0x96f5 @ 0xe096f5
nmmxo+0xa2f7 @ 0xe0a2f7
nmmxo+0x962c @ 0xe0962c
nmmxo+0xa2f7 @ 0xe0a2f7
nmmxo+0x962c @ 0xe0962c
nmmxo+0xa2f7 @ 0xe0a2f7
nmmxo+0x962c @ 0xe0962c
nmmxo+0xa2f7 @ 0xe0a2f7
nmmxo+0x962c @ 0xe0962c
nmmxo+0xd87e @ 0xe0d87e
nmmxo+0xd967 @ 0xe0d967
nmmxo+0x1648e @ 0xe1648e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 7006568
registers.edi: 273154048
registers.eax: 0
registers.ebp: 7006620
registers.edx: 0
registers.ebx: 273154049
registers.esi: 13087096
registers.ecx: 27
exception.instruction_r: 89 30 8b 45 e0 8b 55 e4 8d 7e 08 f0 0f c7 0f 3b
exception.symbol: RtlInitUnicodeString+0x1f3 RtlMultiByteToUnicodeN-0x14a ntdll+0x2e3fb
exception.instruction: mov dword ptr [eax], esi
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189435
exception.address: 0x77d5e3fb
success 0 0
1619965867.8485
__exception__
stacktrace: 
0x4a3e805
0x4a3dad8
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x754455ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2289356
registers.edi: 43916800
registers.eax: 0
registers.ebp: 2289400
registers.edx: 8
registers.ebx: 0
registers.esi: 853028005
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc 69 c6 4f d2 ad e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4ee2022
success 0 0
1619965890.4415
__exception__
stacktrace: 
0x5e912bf
0x4a3e3ab
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x754455ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2287992
registers.edi: 0
registers.eax: 0
registers.ebp: 2288112
registers.edx: 43704100
registers.ebx: 0
registers.esi: 28730641
registers.ecx: 0
exception.instruction_r: 39 09 e8 69 5a fc 6b 83 78 04 00 0f 84 b3 03 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5e269d4
success 0 0
1619965890.5515
__exception__
stacktrace: 
0x5e917a2
0x4a3e3ab
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x754455ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2288036
registers.edi: 2288096
registers.eax: 0
registers.ebp: 2288112
registers.edx: 43704100
registers.ebx: 44129308
registers.esi: 1289915337
registers.ecx: 0
exception.instruction_r: 39 09 e8 b8 19 fc 6b 89 45 b8 b8 a2 48 82 36 b9
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5e2aa85
success 0 0
1619965890.5665
__exception__
stacktrace: 
0x5e91b94
0x4a3e3ab
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x754455ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2288056
registers.edi: 2288096
registers.eax: 3
registers.ebp: 2288112
registers.edx: 0
registers.ebx: 44129308
registers.esi: 45400896
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 2c ff 50 14 39 00 89 45 c8 b8 48 67
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5e2b544
success 0 0
1619965890.7705
__exception__
stacktrace: 
0x4a3e3ab
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x754455ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2288120
registers.edi: 44128780
registers.eax: 0
registers.ebp: 2289448
registers.edx: 0
registers.ebx: 44129308
registers.esi: 1368726117
registers.ecx: 45443808
exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 8b 95 38 fb ff ff
exception.instruction: cmp dword ptr [eax + 4], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5e91e51
success 0 0
1619965890.8015
__exception__
stacktrace: 
0x5e9202c
0x4a3e3ab
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x754455ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2288044
registers.edi: 45500728
registers.eax: 0
registers.ebp: 2288112
registers.edx: 45504708
registers.ebx: 45502548
registers.esi: 630311256
registers.ecx: 1908490458
exception.instruction_r: 39 00 68 ff ff ff 7f 6a 00 8b 4d c8 e8 58 b7 09
exception.instruction: cmp dword ptr [eax], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5e2d117
success 0 0
1619965897.2545
__exception__
stacktrace: 
_vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31
IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141
OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d
ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db
system+0x577bfc @ 0x718e7bfc
system+0x7a0f66 @ 0x70ea0f66
system+0x7a092c @ 0x70ea092c
system+0x7a058e @ 0x70ea058e
system+0x79e700 @ 0x70e9e700
system+0x79d843 @ 0x70e9d843
system+0x79d8b1 @ 0x70e9d8b1
0x5e60417
0x4a3d628
system+0x216fb6 @ 0x70916fb6
0x27b116d
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
0x5e60327
0x4a3e3db
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x754455ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2288124
registers.edi: 11403264
registers.eax: 4294967288
registers.ebp: 2288168
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 11403264
exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84
exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58
exception.instruction: cmp byte ptr [eax + 7], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 499288
exception.address: 0x77da9e58
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 122 个事件)
Time & API Arguments Status Return Repeated
1619965851.8485
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00f00000
success 0 0
1619965851.8485
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x010c0000
success 0 0
1619965852.0515
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02690000
success 0 0
1619965852.0515
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027b0000
success 0 0
1619965852.1295
NtProtectVirtualMemory
process_identifier: 3356
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619965852.2075
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x027f0000
success 0 0
1619965852.2075
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02920000
success 0 0
1619965852.2075
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a7a000
success 0 0
1619965852.2075
NtProtectVirtualMemory
process_identifier: 3356
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619965852.2075
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a72000
success 0 0
1619965852.4735
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a82000
success 0 0
1619965852.5515
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aa5000
success 0 0
1619965852.5515
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aab000
success 0 0
1619965852.5515
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00aa7000
success 0 0
1619965852.6605
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a83000
success 0 0
1619965852.7075
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a84000
success 0 0
1619965852.7235
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a8c000
success 0 0
1619965852.7855
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a30000
success 0 0
1619965852.7855
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a31000
success 0 0
1619965852.9575
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a87000
success 0 0
1619965853.2075
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a88000
success 0 0
1619965853.2705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a3d000
success 0 0
1619965853.3485
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a96000
success 0 0
1619965853.4735
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027b1000
success 0 0
1619965853.5665
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a9a000
success 0 0
1619965853.5665
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a97000
success 0 0
1619965853.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc0000
success 0 0
1619965853.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc1000
success 0 0
1619965853.7855
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc2000
success 0 0
1619965853.8165
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a3e000
success 0 0
1619965864.9575
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc3000
success 0 0
1619965865.5205
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a3f000
success 0 0
1619965865.5355
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc4000
success 0 0
1619965865.7235
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc5000
success 0 0
1619965865.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc6000
success 0 0
1619965865.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a8d000
success 0 0
1619965865.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04b00000
success 0 0
1619965865.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04b01000
success 0 0
1619965865.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a8a000
success 0 0
1619965865.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a8b000
success 0 0
1619965865.7705
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ee0000
success 0 0
1619965865.8015
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc7000
success 0 0
1619965865.8165
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ee1000
success 0 0
1619965866.1135
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc8000
success 0 0
1619965866.1135
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc9000
success 0 0
1619965866.1135
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04ee2000
success 0 0
1619965866.1135
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dca000
success 0 0
1619965866.1295
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dcb000
success 0 0
1619965866.1605
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef30000
success 0 0
1619965866.1605
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
Steals private information from local Internet browsers (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
Creates (office) documents on the filesystem (6 个事件)
file C:\91352782\jogplcf.pdf
file C:\91352782\noiufpb.docx
file C:\91352782\bqoqs.ppt
file C:\91352782\mbxxdb.docx
file C:\91352782\wkafsxht.ppt
file C:\91352782\mkofsk.docx
Creates executable files on the filesystem (5 个事件)
file C:\91352782\jsswh.dll
file C:\91352782\seth.dll
file C:\91352782\esos.exe
file C:\91352782\nmmxo.pif
file C:\91352782\dqia.cpl
Drops a binary and executes it (1 个事件)
file C:\91352782\nmmxo.pif
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619965864.8485
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Expresses interest in specific running processes (1 个事件)
process regsvcs.exe
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: ec4d0c38f7351e8d47d21e45e1d09b5e110454d3
buffer Buffer with sha1: e1b1642d7c0ba9354103b4a87b1c7da3ded045e2
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619965849.895
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 6451200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000194
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00230000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description RegSvcs.exe tried to sleep 2728254 seconds, actually delayed analysis time by 2728254 seconds
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon.exe reg_value c:\91352782\nmmxo.pif c:\91352782\msrox.wuj
Harvests credentials from local FTP client softwares (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Potential code injection by writing to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619965850.113
WriteProcessMemory
process_identifier: 3356
buffer: ÿÿÿÿ#ú~ú~(ý~€›mèÿÿ jHâý~±
process_handle: 0x00000194
base_address: 0x7efde000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619965897.2855
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x027c7682
module_address: 0x00230000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 459099 0
Harvests credentials from local email clients (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 3220 called NtSetContextThread to modify thread in remote process 3356
Time & API Arguments Status Return Repeated
1619965850.113
NtSetContextThread
thread_handle: 0x00000190
registers.eip: 2010382788
registers.esp: 2292652
registers.edi: 0
registers.eax: 2585870
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3356
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 3220 resumed a thread in remote process 3356
Time & API Arguments Status Return Repeated
1619965850.488
NtResumeThread
thread_handle: 0x00000190
suspend_count: 1
process_identifier: 3356
success 0 0
Executed a process and injected code into it, probably while unpacking (17 个事件)
Time & API Arguments Status Return Repeated
1619948420.116739
CreateProcessInternalW
thread_identifier: 3224
thread_handle: 0x0000016c
process_identifier: 3220
current_directory: C:\91352782
filepath: C:\91352782\nmmxo.pif
track: 1
command_line: "C:\91352782\nmmxo.pif" msrox.wuj
filepath_r: C:\91352782\nmmxo.pif
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000001e4
inherit_handles: 0
success 1 0
1619965848.082
NtResumeThread
thread_handle: 0x00000184
suspend_count: 1
process_identifier: 3220
success 0 0
1619965849.863
CreateProcessInternalW
thread_identifier: 3360
thread_handle: 0x00000190
process_identifier: 3356
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RegSvcs.exe
track: 1
command_line:
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000194
inherit_handles: 0
success 1 0
1619965849.895
NtGetContextThread
thread_handle: 0x00000190
success 0 0
1619965849.895
NtAllocateVirtualMemory
process_identifier: 3356
region_size: 6451200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000194
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00230000
success 0 0
1619965849.941
WriteProcessMemory
process_identifier: 3356
buffer:
process_handle: 0x00000194
base_address: 0x00230000
success 1 0
1619965850.113
WriteProcessMemory
process_identifier: 3356
buffer: ÿÿÿÿ#ú~ú~(ý~€›mèÿÿ jHâý~±
process_handle: 0x00000194
base_address: 0x7efde000
success 1 0
1619965850.113
NtSetContextThread
thread_handle: 0x00000190
registers.eip: 2010382788
registers.esp: 2292652
registers.edi: 0
registers.eax: 2585870
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3356
success 0 0
1619965850.488
NtResumeThread
thread_handle: 0x00000190
suspend_count: 1
process_identifier: 3356
success 0 0
1619965852.2075
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3356
success 0 0
1619965852.2075
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 3356
success 0 0
1619965852.2705
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 3356
success 0 0
1619965866.1455
NtResumeThread
thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 3356
success 0 0
1619965866.2235
NtResumeThread
thread_handle: 0x0000031c
suspend_count: 1
process_identifier: 3356
success 0 0
1619965867.9415
NtResumeThread
thread_handle: 0x00000370
suspend_count: 1
process_identifier: 3356
success 0 0
1619965901.1915
NtResumeThread
thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3356
success 0 0
1619965901.3015
NtResumeThread
thread_handle: 0x00000428
suspend_count: 1
process_identifier: 3356
success 0 0
File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)
MicroWorld-eScan Trojan.GenericKD.43473686
FireEye Generic.mg.d9a806cbd0892008
McAfee Artemis!D9A806CBD089
Cylance Unsafe
K7AntiVirus Trojan ( 00557ab51 )
Alibaba Trojan:Win32/runner.ali1000123
K7GW Trojan ( 00557ab51 )
Cybereason malicious.105e47
TrendMicro TROJ_GEN.R002C0DGB20
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:Trojan-gen
ClamAV Win.Malware.Autoit-7599063-0
Kaspersky Trojan-PSW.MSIL.Agensla.sef
BitDefender Trojan.GenericKD.43473686
NANO-Antivirus Trojan.Win32.Agensla.hnmwar
Paloalto generic.ml
Rising Trojan.Generic@ML.85 (RDMK:Da3/sWV1St101yyDDPD9Mw)
Endgame malicious (high confidence)
Sophos Mal/MalitRar-I
Comodo Malware@#uumver4q1tzv
F-Secure Dropper.DR/AutoIt.Gen
Invincea heuristic
Emsisoft Trojan.GenericKD.43473686 (B)
Cyren W32/Trojan.ODRX-0142
Avira nmmxo.pif
Antiy-AVL Trojan/Win32.TSGeneric
Microsoft Trojan:Win32/Nanocore.BF!MTB
Arcabit Trojan.Generic.D2975B16
AegisLab Trojan.BAT.Crypter.tqa8
ZoneAlarm Trojan-PSW.MSIL.Agensla.sef
GData Trojan.GenericKD.43473686
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.R343019
VBA32 Trojan.Wacatac
ALYac Trojan.GenericKD.43473686
MAX malware (ai score=86)
Ad-Aware Trojan.GenericKD.43473686
Malwarebytes Trojan.MalPack.AutoIt
Zoner Probably Heur.RARAutorun
ESET-NOD32 Win32/Injector.Autoit.CNO
TrendMicro-HouseCall TROJ_GEN.R002C0DGB20
Tencent Msil.Trojan-qqpass.Qqrob.Wtnk
Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_67%
AVG Win32:Trojan-gen
CrowdStrike win/malicious_confidence_70% (W)
Qihoo-360 Generic/Trojan.PSW.d4d
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-04-28 04:03:27

Imports

Library KERNEL32.dll:
0x430000 GetLastError
0x430004 SetLastError
0x430008 GetCurrentProcess
0x43000c DeviceIoControl
0x430010 SetFileTime
0x430014 CloseHandle
0x430018 CreateDirectoryW
0x43001c RemoveDirectoryW
0x430020 CreateFileW
0x430024 DeleteFileW
0x430028 CreateHardLinkW
0x43002c GetShortPathNameW
0x430030 GetLongPathNameW
0x430034 MoveFileW
0x430038 GetFileType
0x43003c GetStdHandle
0x430040 WriteFile
0x430044 ReadFile
0x430048 FlushFileBuffers
0x43004c SetEndOfFile
0x430050 SetFilePointer
0x430054 SetFileAttributesW
0x430058 GetFileAttributesW
0x43005c FindClose
0x430060 FindFirstFileW
0x430064 FindNextFileW
0x430068 GetVersionExW
0x430070 GetFullPathNameW
0x430074 FoldStringW
0x430078 GetModuleFileNameW
0x43007c GetModuleHandleW
0x430080 FindResourceW
0x430084 FreeLibrary
0x430088 GetProcAddress
0x43008c GetCurrentProcessId
0x430090 ExitProcess
0x430098 Sleep
0x43009c LoadLibraryW
0x4300a0 GetSystemDirectoryW
0x4300a4 CompareStringW
0x4300a8 AllocConsole
0x4300ac FreeConsole
0x4300b0 AttachConsole
0x4300b4 WriteConsoleW
0x4300bc CreateThread
0x4300c0 SetThreadPriority
0x4300d4 SetEvent
0x4300d8 ResetEvent
0x4300dc ReleaseSemaphore
0x4300e0 WaitForSingleObject
0x4300e4 CreateEventW
0x4300e8 CreateSemaphoreW
0x4300ec GetSystemTime
0x430108 GetCPInfo
0x43010c IsDBCSLeadByte
0x430110 MultiByteToWideChar
0x430114 WideCharToMultiByte
0x430118 GlobalAlloc
0x43011c GetTickCount
0x430120 LockResource
0x430124 GlobalLock
0x430128 GlobalUnlock
0x43012c GlobalFree
0x430130 LoadResource
0x430134 SizeofResource
0x43013c GetExitCodeProcess
0x430140 GetLocalTime
0x430144 MapViewOfFile
0x430148 UnmapViewOfFile
0x43014c CreateFileMappingW
0x430150 OpenFileMappingW
0x430154 GetCommandLineW
0x430160 GetTempPathW
0x430164 MoveFileExW
0x430168 GetLocaleInfoW
0x43016c GetTimeFormatW
0x430170 GetDateFormatW
0x430174 GetNumberFormatW
0x430178 SetFilePointerEx
0x43017c GetConsoleMode
0x430180 GetConsoleCP
0x430184 HeapSize
0x430188 SetStdHandle
0x43018c GetProcessHeap
0x430190 RaiseException
0x430194 GetSystemInfo
0x430198 VirtualProtect
0x43019c VirtualQuery
0x4301a0 LoadLibraryExA
0x4301a8 IsDebuggerPresent
0x4301b4 GetStartupInfoW
0x4301bc GetCurrentThreadId
0x4301c4 InitializeSListHead
0x4301c8 TerminateProcess
0x4301cc RtlUnwind
0x4301d0 EncodePointer
0x4301d8 TlsAlloc
0x4301dc TlsGetValue
0x4301e0 TlsSetValue
0x4301e4 TlsFree
0x4301e8 LoadLibraryExW
0x4301f0 GetModuleHandleExW
0x4301f4 GetModuleFileNameA
0x4301f8 GetACP
0x4301fc HeapFree
0x430200 HeapAlloc
0x430204 HeapReAlloc
0x430208 GetStringTypeW
0x43020c LCMapStringW
0x430210 FindFirstFileExA
0x430214 FindNextFileA
0x430218 IsValidCodePage
0x43021c GetOEMCP
0x430220 GetCommandLineA
0x43022c DecodePointer
Library gdiplus.dll:
0x430234 GdiplusShutdown
0x430238 GdiplusStartup
0x430248 GdipDisposeImage
0x43024c GdipCloneImage
0x430250 GdipFree
0x430254 GdipAlloc

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.