14.4
0-day
47 个模型检测该样本为恶意!
重新分析
更多

eaf9b9a6ec01ff210fc4efb417a3cdcdb1ea41321f66bbf328586c24ba87f672

dc2c3cb91df0b5fdaadd0452f98d92a4.exe

分析耗时

103s

最近分析

文件大小

553.5KB
静态报毒 动态报毒 100% AGEN AGENTTESLA AI SCORE=83 ATESLA AUTO AVSARHER BSK66A CONFIDENCE ELDORADO FAREIT GDSDA GENERICKD HIGH CONFIDENCE HTFTZO KRYPTIK LOKIBOT MALICIOUS PE MALWARE@#39S2VLEAOXSPE PUTTY PWSX R348928 SPYBOTNET SUSGEN TSCOPE UNSAFE YAKBEEXMSIL ZMUTZY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Kryptik.c6176d44 20190527 0.3.0.5
Avast Win32:PWSX-gen [Trj] 20201024 18.4.3895.0
Tencent Win32.Backdoor.Fareit.Auto 20201024 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20201024 2013.8.14.323
McAfee Fareit-FYV!DC2C3CB91DF0 20201024 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619970654.541875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 93 个事件)
Time & API Arguments Status Return Repeated
1619970608.073625
IsDebuggerPresent
failed 0 0
1619970608.073625
IsDebuggerPresent
failed 0 0
1619970652.135625
IsDebuggerPresent
failed 0 0
1619970652.635625
IsDebuggerPresent
failed 0 0
1619970653.166625
IsDebuggerPresent
failed 0 0
1619970653.635625
IsDebuggerPresent
failed 0 0
1619970654.166625
IsDebuggerPresent
failed 0 0
1619970654.635625
IsDebuggerPresent
failed 0 0
1619970655.166625
IsDebuggerPresent
failed 0 0
1619970655.635625
IsDebuggerPresent
failed 0 0
1619970656.166625
IsDebuggerPresent
failed 0 0
1619970656.635625
IsDebuggerPresent
failed 0 0
1619970657.166625
IsDebuggerPresent
failed 0 0
1619970657.635625
IsDebuggerPresent
failed 0 0
1619970658.166625
IsDebuggerPresent
failed 0 0
1619970658.635625
IsDebuggerPresent
failed 0 0
1619970659.166625
IsDebuggerPresent
failed 0 0
1619970659.635625
IsDebuggerPresent
failed 0 0
1619970660.166625
IsDebuggerPresent
failed 0 0
1619970660.635625
IsDebuggerPresent
failed 0 0
1619970661.166625
IsDebuggerPresent
failed 0 0
1619970661.635625
IsDebuggerPresent
failed 0 0
1619970662.166625
IsDebuggerPresent
failed 0 0
1619970662.635625
IsDebuggerPresent
failed 0 0
1619970663.166625
IsDebuggerPresent
failed 0 0
1619970663.635625
IsDebuggerPresent
failed 0 0
1619970664.166625
IsDebuggerPresent
failed 0 0
1619970664.635625
IsDebuggerPresent
failed 0 0
1619970665.166625
IsDebuggerPresent
failed 0 0
1619970665.635625
IsDebuggerPresent
failed 0 0
1619970666.166625
IsDebuggerPresent
failed 0 0
1619970666.635625
IsDebuggerPresent
failed 0 0
1619970667.166625
IsDebuggerPresent
failed 0 0
1619970667.635625
IsDebuggerPresent
failed 0 0
1619970668.166625
IsDebuggerPresent
failed 0 0
1619970668.635625
IsDebuggerPresent
failed 0 0
1619970669.166625
IsDebuggerPresent
failed 0 0
1619970669.635625
IsDebuggerPresent
failed 0 0
1619970670.166625
IsDebuggerPresent
failed 0 0
1619970670.635625
IsDebuggerPresent
failed 0 0
1619970671.166625
IsDebuggerPresent
failed 0 0
1619970671.635625
IsDebuggerPresent
failed 0 0
1619970672.166625
IsDebuggerPresent
failed 0 0
1619970672.635625
IsDebuggerPresent
failed 0 0
1619970673.166625
IsDebuggerPresent
failed 0 0
1619970673.635625
IsDebuggerPresent
failed 0 0
1619970674.182625
IsDebuggerPresent
failed 0 0
1619970674.635625
IsDebuggerPresent
failed 0 0
1619970675.182625
IsDebuggerPresent
failed 0 0
1619970675.635625
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619970608.119625
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (18 个事件)
Time & API Arguments Status Return Repeated
1619970683.807875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
profapi+0x11fb @ 0x750911fb
profapi+0x12d5 @ 0x750912d5
profapi+0x13e3 @ 0x750913e3
profapi+0x159f @ 0x7509159f
profapi+0x154b @ 0x7509154b
GetUserProfileDirectoryW+0x9a RegisterGPNotification-0x59 userenv+0x264c @ 0x6f7d264c
GetUserProfileDirectoryW+0x3e RegisterGPNotification-0xb5 userenv+0x25f0 @ 0x6f7d25f0
CPGetKeyParam+0xd599 CPDecrypt-0x33f0 rsaenh+0x222fb @ 0x74fd22fb
DllUnregisterServer+0x873f rsaenh+0x32161 @ 0x74fe2161
CPDeriveKey+0x6ba DllRegisterServer-0x111f rsaenh+0x288bb @ 0x74fd88bb
CPGetKeyParam+0xbea6 CPDecrypt-0x4ae3 rsaenh+0x20c08 @ 0x74fd0c08
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2943012
registers.edi: 23
registers.eax: 7608456
registers.ebp: 2943144
registers.edx: 7305920
registers.ebx: 54
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x77d5e2f4
success 0 0
1619970683.807875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
profapi+0x11fb @ 0x750911fb
profapi+0x12d5 @ 0x750912d5
profapi+0x13e3 @ 0x750913e3
profapi+0x159f @ 0x7509159f
profapi+0x154b @ 0x7509154b
GetUserProfileDirectoryW+0x9a RegisterGPNotification-0x59 userenv+0x264c @ 0x6f7d264c
GetUserProfileDirectoryW+0x3e RegisterGPNotification-0xb5 userenv+0x25f0 @ 0x6f7d25f0
CPGetKeyParam+0xd599 CPDecrypt-0x33f0 rsaenh+0x222fb @ 0x74fd22fb
DllUnregisterServer+0x873f rsaenh+0x32161 @ 0x74fe2161
CPDeriveKey+0x6ba DllRegisterServer-0x111f rsaenh+0x288bb @ 0x74fd88bb
CPGetKeyParam+0xbea6 CPDecrypt-0x4ae3 rsaenh+0x20c08 @ 0x74fd0c08
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2943012
registers.edi: 54
registers.eax: 7608456
registers.ebp: 2943144
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.807875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
RtlDeleteBoundaryDescriptor+0x3f RtlAnsiStringToUnicodeString-0x9 ntdll+0x2e6ac @ 0x77d5e6ac
_wcsnicmp+0x133 RtlInitAnsiStringEx-0x2d ntdll+0x2f76e @ 0x77d5f76e
RtlCreateUnicodeStringFromAsciiz+0x29 RtlInitializeConditionVariable-0x31 ntdll+0x38425 @ 0x77d68425
RegOpenKeyExA+0xe8 DisableThreadLibraryCalls-0xce kernel32+0x14817 @ 0x76354817
RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x76354750
New_advapi32_RegOpenKeyExA@20+0x4f New_advapi32_RegOpenKeyExW@20-0x173 @ 0x752e3adf
CPAcquireContext+0x7f0 CPReleaseContext-0xb70 rsaenh+0x4ea8 @ 0x74fb4ea8
CPGenKey+0x82cc CPEncrypt-0x13f4 rsaenh+0x137c1 @ 0x74fc37c1
DllUnregisterServer+0x8681 rsaenh+0x320a3 @ 0x74fe20a3
DllUnregisterServer+0x879d rsaenh+0x321bf @ 0x74fe21bf
CPDeriveKey+0x6ba DllRegisterServer-0x111f rsaenh+0x288bb @ 0x74fd88bb
CPGetKeyParam+0xbea6 CPDecrypt-0x4ae3 rsaenh+0x20c08 @ 0x74fd0c08
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2944724
registers.edi: 54
registers.eax: 7608456
registers.ebp: 2944856
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.807875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
profapi+0x11fb @ 0x750911fb
profapi+0x12d5 @ 0x750912d5
profapi+0x13e3 @ 0x750913e3
profapi+0x159f @ 0x7509159f
profapi+0x154b @ 0x7509154b
GetUserProfileDirectoryW+0x9a RegisterGPNotification-0x59 userenv+0x264c @ 0x6f7d264c
GetUserProfileDirectoryW+0x3e RegisterGPNotification-0xb5 userenv+0x25f0 @ 0x6f7d25f0
CPGetKeyParam+0xd599 CPDecrypt-0x33f0 rsaenh+0x222fb @ 0x74fd22fb
CPGenKey+0x850a CPEncrypt-0x11b6 rsaenh+0x139ff @ 0x74fc39ff
CPGenKey+0x835b CPEncrypt-0x1365 rsaenh+0x13850 @ 0x74fc3850
CPGenKey+0x8178 CPEncrypt-0x1548 rsaenh+0x1366d @ 0x74fc366d
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2941720
registers.edi: 23
registers.eax: 7608456
registers.ebp: 2941852
registers.edx: 7305920
registers.ebx: 59
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x77d5e2f4
success 0 0
1619970683.807875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
profapi+0x11fb @ 0x750911fb
profapi+0x12d5 @ 0x750912d5
profapi+0x13e3 @ 0x750913e3
profapi+0x159f @ 0x7509159f
profapi+0x154b @ 0x7509154b
GetUserProfileDirectoryW+0x9a RegisterGPNotification-0x59 userenv+0x264c @ 0x6f7d264c
GetUserProfileDirectoryW+0x3e RegisterGPNotification-0xb5 userenv+0x25f0 @ 0x6f7d25f0
CPGetKeyParam+0xd599 CPDecrypt-0x33f0 rsaenh+0x222fb @ 0x74fd22fb
CPGenKey+0x850a CPEncrypt-0x11b6 rsaenh+0x139ff @ 0x74fc39ff
CPGenKey+0x835b CPEncrypt-0x1365 rsaenh+0x13850 @ 0x74fc3850
CPGenKey+0x8178 CPEncrypt-0x1548 rsaenh+0x1366d @ 0x74fc366d
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2941720
registers.edi: 59
registers.eax: 7608456
registers.ebp: 2941852
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.823875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
RtlDeleteBoundaryDescriptor+0x3f RtlAnsiStringToUnicodeString-0x9 ntdll+0x2e6ac @ 0x77d5e6ac
_wcsnicmp+0x133 RtlInitAnsiStringEx-0x2d ntdll+0x2f76e @ 0x77d5f76e
RtlCreateUnicodeStringFromAsciiz+0x29 RtlInitializeConditionVariable-0x31 ntdll+0x38425 @ 0x77d68425
RegOpenKeyExA+0xe8 DisableThreadLibraryCalls-0xce kernel32+0x14817 @ 0x76354817
RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x76354750
New_advapi32_RegOpenKeyExA@20+0x4f New_advapi32_RegOpenKeyExW@20-0x173 @ 0x752e3adf
CPAcquireContext+0x7f0 CPReleaseContext-0xb70 rsaenh+0x4ea8 @ 0x74fb4ea8
CPGenKey+0x82cc CPEncrypt-0x13f4 rsaenh+0x137c1 @ 0x74fc37c1
CPGenKey+0x859b CPEncrypt-0x1125 rsaenh+0x13a90 @ 0x74fc3a90
CPGenKey+0x835b CPEncrypt-0x1365 rsaenh+0x13850 @ 0x74fc3850
CPGenKey+0x8178 CPEncrypt-0x1548 rsaenh+0x1366d @ 0x74fc366d
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2943632
registers.edi: 59
registers.eax: 7608456
registers.ebp: 2943764
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.823875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
profapi+0x11fb @ 0x750911fb
profapi+0x12d5 @ 0x750912d5
profapi+0x13e3 @ 0x750913e3
profapi+0x159f @ 0x7509159f
profapi+0x154b @ 0x7509154b
GetUserProfileDirectoryW+0x9a RegisterGPNotification-0x59 userenv+0x264c @ 0x6f7d264c
GetUserProfileDirectoryW+0x3e RegisterGPNotification-0xb5 userenv+0x25f0 @ 0x6f7d25f0
CPGetKeyParam+0xd599 CPDecrypt-0x33f0 rsaenh+0x222fb @ 0x74fd22fb
CPGenKey+0x6f21 CPEncrypt-0x279f rsaenh+0x12416 @ 0x74fc2416
CPGenKey+0x839c CPEncrypt-0x1324 rsaenh+0x13891 @ 0x74fc3891
CPGenKey+0x8178 CPEncrypt-0x1548 rsaenh+0x1366d @ 0x74fc366d
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2943764
registers.edi: 59
registers.eax: 7608456
registers.ebp: 2943896
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
ExpandEnvironmentStringsA+0x185 InitializeCriticalSectionAndSpinCount-0x88 kernelbase+0xffc7 @ 0x778effc7
CryptAcquireContextA+0x3ab CryptGenKey-0x32d cryptsp+0x464e @ 0x750a464e
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946312
registers.edi: 23
registers.eax: 7608456
registers.ebp: 2946444
registers.edx: 7305920
registers.ebx: 62
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b f8 0b da 89
exception.symbol: RtlInitUnicodeString+0xec RtlMultiByteToUnicodeN-0x251 ntdll+0x2e2f4
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189172
exception.address: 0x77d5e2f4
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
ExpandEnvironmentStringsA+0x185 InitializeCriticalSectionAndSpinCount-0x88 kernelbase+0xffc7 @ 0x778effc7
CryptAcquireContextA+0x3ab CryptGenKey-0x32d cryptsp+0x464e @ 0x750a464e
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946312
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2946444
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
ExpandEnvironmentStringsA+0xa5 InitializeCriticalSectionAndSpinCount-0x168 kernelbase+0xfee7 @ 0x778efee7
CryptAcquireContextA+0x3cf CryptGenKey-0x309 cryptsp+0x4672 @ 0x750a4672
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946316
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2946448
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
RtlDeleteBoundaryDescriptor+0x3f RtlAnsiStringToUnicodeString-0x9 ntdll+0x2e6ac @ 0x77d5e6ac
_wcsnicmp+0x133 RtlInitAnsiStringEx-0x2d ntdll+0x2f76e @ 0x77d5f76e
IsNLSDefinedString+0xd66 CreateThreadpool-0x4be kernelbase+0x3676a @ 0x7791676a
GetModuleHandleA+0x27 GetVersionExA-0x25 kernelbase+0x11f1c @ 0x778f1f1c
CryptContextAddRef-0x5b cryptsp+0x2e1e @ 0x750a2e1e
CryptAcquireContextA+0x3fc CryptGenKey-0x2dc cryptsp+0x469f @ 0x750a469f
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946240
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2946372
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
RtlDeleteBoundaryDescriptor+0x3f RtlAnsiStringToUnicodeString-0x9 ntdll+0x2e6ac @ 0x77d5e6ac
_wcsnicmp+0x133 RtlInitAnsiStringEx-0x2d ntdll+0x2f76e @ 0x77d5f76e
RtlCreateUnicodeStringFromAsciiz+0x29 RtlInitializeConditionVariable-0x31 ntdll+0x38425 @ 0x77d68425
RegOpenKeyExA+0xe8 DisableThreadLibraryCalls-0xce kernel32+0x14817 @ 0x76354817
RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x76354750
New_advapi32_RegOpenKeyExA@20+0x4f New_advapi32_RegOpenKeyExW@20-0x173 @ 0x752e3adf
CPAcquireContext+0x7f0 CPReleaseContext-0xb70 rsaenh+0x4ea8 @ 0x74fb4ea8
CPAcquireContext+0x771 CPReleaseContext-0xbef rsaenh+0x4e29 @ 0x74fb4e29
CPAcquireContext+0xb1 CPReleaseContext-0x12af rsaenh+0x4769 @ 0x74fb4769
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2945820
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2945952
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
CPGenRandom-0x2ba8 rsaenh+0x187b @ 0x74fb187b
CPGetKeyParam+0xbe41 CPDecrypt-0x4b48 rsaenh+0x20ba3 @ 0x74fd0ba3
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x3998 @ 0x403998
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946248
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2946380
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
ExpandEnvironmentStringsA+0x185 InitializeCriticalSectionAndSpinCount-0x88 kernelbase+0xffc7 @ 0x778effc7
CryptAcquireContextA+0x3ab CryptGenKey-0x32d cryptsp+0x464e @ 0x750a464e
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946312
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2946444
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
ExpandEnvironmentStringsA+0xa5 InitializeCriticalSectionAndSpinCount-0x168 kernelbase+0xfee7 @ 0x778efee7
CryptAcquireContextA+0x3cf CryptGenKey-0x309 cryptsp+0x4672 @ 0x750a4672
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946316
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2946448
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
RtlDeleteBoundaryDescriptor+0x3f RtlAnsiStringToUnicodeString-0x9 ntdll+0x2e6ac @ 0x77d5e6ac
_wcsnicmp+0x133 RtlInitAnsiStringEx-0x2d ntdll+0x2f76e @ 0x77d5f76e
IsNLSDefinedString+0xd66 CreateThreadpool-0x4be kernelbase+0x3676a @ 0x7791676a
GetModuleHandleA+0x27 GetVersionExA-0x25 kernelbase+0x11f1c @ 0x778f1f1c
CryptContextAddRef-0x5b cryptsp+0x2e1e @ 0x750a2e1e
CryptAcquireContextA+0x3fc CryptGenKey-0x2dc cryptsp+0x469f @ 0x750a469f
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946240
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2946372
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
RtlDeleteBoundaryDescriptor+0x3f RtlAnsiStringToUnicodeString-0x9 ntdll+0x2e6ac @ 0x77d5e6ac
_wcsnicmp+0x133 RtlInitAnsiStringEx-0x2d ntdll+0x2f76e @ 0x77d5f76e
RtlCreateUnicodeStringFromAsciiz+0x29 RtlInitializeConditionVariable-0x31 ntdll+0x38425 @ 0x77d68425
RegOpenKeyExA+0xe8 DisableThreadLibraryCalls-0xce kernel32+0x14817 @ 0x76354817
RegOpenKeyExA+0x21 DisableThreadLibraryCalls-0x195 kernel32+0x14750 @ 0x76354750
New_advapi32_RegOpenKeyExA@20+0x4f New_advapi32_RegOpenKeyExW@20-0x173 @ 0x752e3adf
CPAcquireContext+0x7f0 CPReleaseContext-0xb70 rsaenh+0x4ea8 @ 0x74fb4ea8
CPAcquireContext+0x771 CPReleaseContext-0xbef rsaenh+0x4e29 @ 0x74fb4e29
CPAcquireContext+0xb1 CPReleaseContext-0x12af rsaenh+0x4769 @ 0x74fb4769
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2945820
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2945952
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
1619970683.838875
__exception__
stacktrace: 
RtlAllocateHeap+0xac RtlFreeAnsiString-0x54 ntdll+0x2e0d2 @ 0x77d5e0d2
CPGenRandom-0x2ba8 rsaenh+0x187b @ 0x74fb187b
CPGetKeyParam+0xbe41 CPDecrypt-0x4b48 rsaenh+0x20ba3 @ 0x74fd0ba3
CPAcquireContext+0x3f CPReleaseContext-0x1321 rsaenh+0x46f7 @ 0x74fb46f7
CryptAcquireContextA+0x5f4 CryptGenKey-0xe4 cryptsp+0x4897 @ 0x750a4897
New_advapi32_CryptAcquireContextA@20+0x4f New_advapi32_CryptAcquireContextW@20-0xcf @ 0x752e0f45
CryptAcquireContextW+0x97 CryptSetProviderA-0x54 cryptsp+0x647f @ 0x750a647f
New_advapi32_CryptAcquireContextW@20+0x9f New_advapi32_CryptCreateHash@20-0x7f @ 0x752e10b3
dc2c3cb91df0b5fdaadd0452f98d92a4+0x39ae @ 0x4039ae
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13c27 @ 0x413c27
dc2c3cb91df0b5fdaadd0452f98d92a4+0x1428b @ 0x41428b
dc2c3cb91df0b5fdaadd0452f98d92a4+0x14575 @ 0x414575
dc2c3cb91df0b5fdaadd0452f98d92a4+0x137d7 @ 0x4137d7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x139b7 @ 0x4139b7
dc2c3cb91df0b5fdaadd0452f98d92a4+0x13a2d @ 0x413a2d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2946248
registers.edi: 62
registers.eax: 7608456
registers.ebp: 2946380
registers.edx: 1651834904
registers.ebx: 23
registers.esi: 7608464
registers.ecx: 7373296
exception.instruction_r: 0f b7 06 99 0f a4 c2 10 c1 e0 10 0b d8 0b fa 89
exception.symbol: LdrUnlockLoaderLock+0x2cc RtlInitUnicodeStringEx-0xe6b ntdll+0x36f08
exception.instruction: movzx eax, word ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 225032
exception.address: 0x77d66f08
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1784193016&cup2hreq=abb8a1f718655be98aef45114c4fa87e185b63ef00c1978c4efd4039cc287997
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619941453&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=381372dfd472f8f7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941453&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:1784193016&cup2hreq=abb8a1f718655be98aef45114c4fa87e185b63ef00c1978c4efd4039cc287997
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1784193016&cup2hreq=abb8a1f718655be98aef45114c4fa87e185b63ef00c1978c4efd4039cc287997
Allocates read-write-execute memory (usually to unpack itself) (50 out of 96 个事件)
Time & API Arguments Status Return Repeated
1619970607.651625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006f0000
success 0 0
1619970607.651625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00890000
success 0 0
1619970607.901625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00570000
success 0 0
1619970607.901625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f0000
success 0 0
1619970607.963625
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619970608.073625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619970608.073625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619970608.073625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619970608.088625
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619970608.088625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619970608.307625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00432000
success 0 0
1619970608.448625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00455000
success 0 0
1619970608.448625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045b000
success 0 0
1619970608.448625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00457000
success 0 0
1619970608.541625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00433000
success 0 0
1619970608.588625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043c000
success 0 0
1619970608.994625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00434000
success 0 0
1619970609.010625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00436000
success 0 0
1619970609.135625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b40000
success 0 0
1619970609.244625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044a000
success 0 0
1619970609.244625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1619970609.510625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00437000
success 0 0
1619970609.510625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00438000
success 0 0
1619970609.932625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00439000
success 0 0
1619970610.073625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00bf0000
success 0 0
1619970610.073625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043a000
success 0 0
1619970610.166625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c00000
success 0 0
1619970610.244625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b41000
success 0 0
1619970610.276625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00446000
success 0 0
1619970610.291625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c01000
success 0 0
1619970610.354625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b42000
success 0 0
1619970610.354625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c02000
success 0 0
1619970610.369625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b43000
success 0 0
1619970610.385625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b45000
success 0 0
1619970610.401625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b46000
success 0 0
1619970643.588625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b48000
success 0 0
1619970643.729625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042c000
success 0 0
1619970643.823625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c03000
success 0 0
1619970643.838625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043d000
success 0 0
1619970643.838625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b49000
success 0 0
1619970643.948625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c04000
success 0 0
1619970643.948625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4a000
success 0 0
1619970643.948625
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 371200
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x050b0400
failed 3221225550 0
1619970651.651625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4b000
success 0 0
1619970651.698625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4c000
success 0 0
1619970651.698625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4d000
success 0 0
1619970651.776625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4e000
success 0 0
1619970651.791625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b4f000
success 0 0
1619970651.854625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c05000
success 0 0
1619970651.916625
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b00000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description dc2c3cb91df0b5fdaadd0452f98d92a4.exe tried to sleep 123 seconds, actually delayed analysis time by 123 seconds
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.89957732825162 section {'size_of_data': '0x00089c00', 'virtual_address': '0x00002000', 'entropy': 7.89957732825162, 'name': '.text', 'virtual_size': '0x00089b80'} description A section with a high entropy has been found
entropy 0.9963833634719711 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619970643.948625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 79.124.8.8
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619970652.369625
NtAllocateVirtualMemory
process_identifier: 2944
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00001c48
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619970652.369625
WriteProcessMemory
process_identifier: 2944
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00001c48
base_address: 0x00400000
success 1 0
1619970652.369625
WriteProcessMemory
process_identifier: 2944
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x00001c48
base_address: 0x0041a000
success 1 0
1619970652.385625
WriteProcessMemory
process_identifier: 2944
buffer: @
process_handle: 0x00001c48
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619970652.369625
WriteProcessMemory
process_identifier: 2944
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00001c48
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 732 called NtSetContextThread to modify thread in remote process 2944
Time & API Arguments Status Return Repeated
1619970652.385625
NtSetContextThread
thread_handle: 0x0000bb60
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2944
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 732 resumed a thread in remote process 2944
Time & API Arguments Status Return Repeated
1619970652.651625
NtResumeThread
thread_handle: 0x0000bb60
suspend_count: 1
process_identifier: 2944
success 0 0
Executed a process and injected code into it, probably while unpacking (17 个事件)
Time & API Arguments Status Return Repeated
1619970608.073625
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 732
success 0 0
1619970608.088625
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 732
success 0 0
1619970608.119625
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 732
success 0 0
1619970652.104625
NtResumeThread
thread_handle: 0x00007090
suspend_count: 1
process_identifier: 732
success 0 0
1619970652.104625
NtResumeThread
thread_handle: 0x0000954c
suspend_count: 1
process_identifier: 732
success 0 0
1619970652.369625
CreateProcessInternalW
thread_identifier: 2940
thread_handle: 0x0000bb60
process_identifier: 2944
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dc2c3cb91df0b5fdaadd0452f98d92a4.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dc2c3cb91df0b5fdaadd0452f98d92a4.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00001c48
inherit_handles: 0
success 1 0
1619970652.369625
NtGetContextThread
thread_handle: 0x0000bb60
success 0 0
1619970652.369625
NtAllocateVirtualMemory
process_identifier: 2944
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00001c48
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619970652.369625
WriteProcessMemory
process_identifier: 2944
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x00001c48
base_address: 0x00400000
success 1 0
1619970652.369625
WriteProcessMemory
process_identifier: 2944
buffer:
process_handle: 0x00001c48
base_address: 0x00401000
success 1 0
1619970652.369625
WriteProcessMemory
process_identifier: 2944
buffer:
process_handle: 0x00001c48
base_address: 0x00415000
success 1 0
1619970652.369625
WriteProcessMemory
process_identifier: 2944
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x00001c48
base_address: 0x0041a000
success 1 0
1619970652.369625
WriteProcessMemory
process_identifier: 2944
buffer:
process_handle: 0x00001c48
base_address: 0x004a0000
success 1 0
1619970652.385625
WriteProcessMemory
process_identifier: 2944
buffer: @
process_handle: 0x00001c48
base_address: 0x7efde008
success 1 0
1619970652.385625
NtSetContextThread
thread_handle: 0x0000bb60
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2944
success 0 0
1619970652.651625
NtResumeThread
thread_handle: 0x0000bb60
suspend_count: 1
process_identifier: 2944
success 0 0
1619970653.713875
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2944
success 0 0
File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 个事件)
Elastic malicious (high confidence)
DrWeb BackDoor.SpyBotNET.25
MicroWorld-eScan Trojan.GenericKD.34413845
FireEye Generic.mg.dc2c3cb91df0b5fd
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Spyware.LokiBot
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056d32e1 )
Alibaba Trojan:Win32/Kryptik.c6176d44
K7GW Trojan ( 0056d32e1 )
Cybereason malicious.9f2c97
Arcabit Trojan.Generic.D20D1D15
Cyren W32/MSIL_Troj.YK.gen!Eldorado
Symantec Infostealer.Atesla
ESET-NOD32 a variant of MSIL/Kryptik.XKX
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan.MSIL.Crypt.gen
BitDefender Trojan.GenericKD.34413845
NANO-Antivirus Trojan.Win32.Crypt.htftzo
Paloalto generic.ml
ViRobot Trojan.Win32.S.Infostealer.566784
Tencent Win32.Backdoor.Fareit.Auto
Ad-Aware Trojan.GenericKD.34413845
Comodo Malware@#39s2vleaoxspe
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Generic.hc
Sophos Mal/Generic-S
SentinelOne DFI - Malicious PE
Avira HEUR/AGEN.1138513
Microsoft Trojan:MSIL/AgentTesla.MA!MTB
ZoneAlarm HEUR:Trojan.MSIL.Crypt.gen
GData Trojan.GenericKD.34413845
AhnLab-V3 Trojan/Win32.MSIL.R348928
McAfee Fareit-FYV!DC2C3CB91DF0
MAX malware (ai score=83)
VBA32 TScope.Trojan.MSIL
Yandex Trojan.AvsArher.bSK66A
Ikarus Trojan.MSIL.Inject
MaxSecure Trojan.Malware.11716371.susgen
Fortinet MSIL/Zmutzy.CDD!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 Generic/Trojan.21a
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 79.124.8.8:80
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-24 07:25:33

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49186 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49185 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49184 203.208.41.98 update.googleapis.com 443
192.168.56.101 49187 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619941453&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619941453&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=381372dfd472f8f7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941453&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=381372dfd472f8f7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941453&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.