12.4
0-day
53 个模型检测该样本为恶意!
重新分析
更多

d9bbb3bf6c21725526552c27f014bdfdec2b83d229d0a714c7e2b5197cd41f85

048a9c56714917abc3ebc6e78e4428af.exe

分析耗时

76s

最近分析

文件大小

495.0KB
静态报毒 动态报毒 AGENSLA AGENTTESLA AI SCORE=81 ATTRIBUTE BTKV8M CONFIDENCE EKSW EM0@A4FFGWP FAREIT GDSDA GENERICKD GENKRYPTIK HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE IGENT INJECT3 KRYPTIK MALICIOUS PE MALWARE@#3JN4YPDIHRTPX OCCAMY PWSX QQPASS QQROB QVM03 R06EC0PIA20 R342574 SCORE STATIC AI SUSGEN TROJANPSW TWNBZ UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FTJ!048A9C567149 20201211 6.0.6.653
Alibaba TrojanPSW:MSIL/Agensla.ebef5464 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Tencent Msil.Trojan-qqpass.Qqrob.Eoo 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (5 个事件)
Time & API Arguments Status Return Repeated
1619156383.672501
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619156387.626626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619156389.297626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619156391.016626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619156391.422626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619134515.004445
IsDebuggerPresent
failed 0 0
1619134515.004445
IsDebuggerPresent
failed 0 0
1619156386.501626
IsDebuggerPresent
failed 0 0
1619156386.501626
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619156384.329501
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\HfaiAeEOJnOc"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619134515.035445
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1619156390.954626
__exception__
stacktrace: 
0x8300a5
0x449f21a
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3403048
registers.edi: 3403076
registers.eax: 0
registers.ebp: 3403092
registers.edx: 8
registers.ebx: 0
registers.esi: 38763476
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 ee aa 28 c9 e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8337e2
success 0 0
1619156425.282626
__exception__
stacktrace: 
0x57b0d7a
0x449f95f
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3401708
registers.edi: 0
registers.eax: 0
registers.ebp: 3401784
registers.edx: 38536360
registers.ebx: 38981964
registers.esi: 648035910
registers.ecx: 0
exception.instruction_r: 39 09 e8 66 82 ba 6c 89 45 b8 b8 ef 09 56 73 35
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x52441d7
success 0 0
1619156429.235626
__exception__
stacktrace: 
0x57b1688
0x449f95f
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3401664
registers.edi: 0
registers.eax: 0
registers.ebp: 3401784
registers.edx: 38536360
registers.ebx: 0
registers.esi: 648035910
registers.ecx: 0
exception.instruction_r: 39 09 e8 b9 f1 56 6c 83 78 04 00 0f 84 18 04 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x587d284
success 0 0
1619156429.532626
__exception__
stacktrace: 
0x57b1aa8
0x449f95f
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3401724
registers.edi: 40621928
registers.eax: 40624088
registers.ebp: 3401784
registers.edx: 40624088
registers.ebx: 0
registers.esi: 0
registers.ecx: 1908490458
exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 32 6e 74 6c
exception.instruction: cmp dword ptr [esi], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5781a3e
success 0 0
1619156429.563626
__exception__
stacktrace: 
0x57b1c47
0x449f95f
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3401728
registers.edi: 40649676
registers.eax: 3
registers.ebp: 3401784
registers.edx: 0
registers.ebx: 38981964
registers.esi: 40650980
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 2c ff 50 14 39 00 89 45 c8 b8 5b 0e
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5782969
success 0 0
1619156429.751626
__exception__
stacktrace: 
0x449f95f
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3401792
registers.edi: 38982492
registers.eax: 0
registers.ebp: 3403140
registers.edx: 7
registers.ebx: 38981964
registers.esi: 2100378947
registers.ecx: 11
exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 8b 95 38 fb ff ff
exception.instruction: cmp dword ptr [eax + 4], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x57b21d5
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 188 个事件)
Time & API Arguments Status Return Repeated
1619134514.238445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00710000
success 0 0
1619134514.238445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00830000
success 0 0
1619134514.644445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619134514.644445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00510000
success 0 0
1619134514.816445
NtProtectVirtualMemory
process_identifier: 392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619134515.004445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x021b0000
success 0 0
1619134515.004445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02370000
success 0 0
1619134515.004445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619134515.004445
NtProtectVirtualMemory
process_identifier: 392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619134515.004445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00552000
success 0 0
1619134515.316445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00562000
success 0 0
1619134515.550445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00595000
success 0 0
1619134515.566445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059b000
success 0 0
1619134515.566445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00597000
success 0 0
1619134515.738445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00563000
success 0 0
1619134515.800445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056c000
success 0 0
1619134515.847445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c0000
success 0 0
1619134515.879445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00564000
success 0 0
1619134515.879445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c1000
success 0 0
1619134515.894445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c2000
success 0 0
1619134515.894445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c3000
success 0 0
1619134515.910445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c4000
success 0 0
1619134515.957445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c5000
success 0 0
1619134516.425445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00565000
success 0 0
1619134516.425445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00567000
success 0 0
1619134516.504445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00568000
success 0 0
1619134516.613445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00569000
success 0 0
1619134516.613445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c6000
success 0 0
1619134516.629445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057a000
success 0 0
1619134516.629445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00577000
success 0 0
1619134516.722445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c7000
success 0 0
1619134517.097445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00576000
success 0 0
1619134517.254445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006cc000
success 0 0
1619134517.254445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006cd000
success 0 0
1619134517.425445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056a000
success 0 0
1619134517.504445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006ce000
success 0 0
1619134517.707445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006cf000
success 0 0
1619134517.722445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00511000
success 0 0
1619134517.832445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c50000
success 0 0
1619134517.863445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c51000
success 0 0
1619134517.863445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c52000
success 0 0
1619134517.879445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c80000
success 0 0
1619134517.894445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c53000
success 0 0
1619134517.894445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02371000
success 0 0
1619134517.894445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02372000
success 0 0
1619134517.910445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02373000
success 0 0
1619134517.910445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02374000
success 0 0
1619134517.910445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02375000
success 0 0
1619134517.910445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02379000
success 0 0
1619134517.910445
NtAllocateVirtualMemory
process_identifier: 392
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0238a000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\HfaiAeEOJnOc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6A7C.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HfaiAeEOJnOc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6A7C.tmp"
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619134521.832445
ShellExecuteExW
parameters: /Create /TN "Updates\HfaiAeEOJnOc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6A7C.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
1619156425.672626
CreateProcessInternalW
thread_identifier: 176
thread_handle: 0x000003fc
process_identifier: 1664
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000040c
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.842308570897051 section {'size_of_data': '0x0007b200', 'virtual_address': '0x00002000', 'entropy': 7.842308570897051, 'name': '.text', 'virtual_size': '0x0007b154'} description A section with a high entropy has been found
entropy 0.9959555106167847 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619156387.219626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (3 个事件)
cmdline schtasks.exe /Create /TN "Updates\HfaiAeEOJnOc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6A7C.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HfaiAeEOJnOc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6A7C.tmp"
cmdline "netsh" wlan show profile
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619134524.472445
NtAllocateVirtualMemory
process_identifier: 2668
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000398
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description RegSvcs.exe tried to sleep 2728236 seconds, actually delayed analysis time by 2728236 seconds
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6A7C.tmp
Harvests credentials from local FTP client softwares (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELzá½^à ®Í à@  @…¸ÌSà  H.text­ ® `.rsrcà°@@.reloc ´@B
process_handle: 0x00000398
base_address: 0x00400000
success 1 0
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: €0€HXत4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h$InternalNamecmTXoDLJMSotpSfNVSQrPUHsDUaarvA.exe(LegalCopyright p$OriginalFilenamecmTXoDLJMSotpSfNVSQrPUHsDUaarvA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000398
base_address: 0x0044e000
success 1 0
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: À =
process_handle: 0x00000398
base_address: 0x00450000
success 1 0
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: @
process_handle: 0x00000398
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELzá½^à ®Í à@  @…¸ÌSà  H.text­ ® `.rsrcà°@@.reloc ´@B
process_handle: 0x00000398
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 392 called NtSetContextThread to modify thread in remote process 2668
Time & API Arguments Status Return Repeated
1619134524.472445
NtSetContextThread
thread_handle: 0x00000344
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4508942
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2668
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 392 resumed a thread in remote process 2668
Time & API Arguments Status Return Repeated
1619134524.707445
NtResumeThread
thread_handle: 0x00000344
suspend_count: 1
process_identifier: 2668
success 0 0
Executed a process and injected code into it, probably while unpacking (28 个事件)
Time & API Arguments Status Return Repeated
1619134515.004445
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 392
success 0 0
1619134515.004445
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 392
success 0 0
1619134515.238445
NtResumeThread
thread_handle: 0x00000174
suspend_count: 1
process_identifier: 392
success 0 0
1619134521.832445
CreateProcessInternalW
thread_identifier: 368
thread_handle: 0x00000350
process_identifier: 2616
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HfaiAeEOJnOc" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6A7C.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000388
inherit_handles: 0
success 1 0
1619134524.472445
CreateProcessInternalW
thread_identifier: 3004
thread_handle: 0x00000344
process_identifier: 2668
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000398
inherit_handles: 0
success 1 0
1619134524.472445
NtGetContextThread
thread_handle: 0x00000344
success 0 0
1619134524.472445
NtAllocateVirtualMemory
process_identifier: 2668
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000398
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELzá½^à ®Í à@  @…¸ÌSà  H.text­ ® `.rsrcà°@@.reloc ´@B
process_handle: 0x00000398
base_address: 0x00400000
success 1 0
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer:
process_handle: 0x00000398
base_address: 0x00402000
success 1 0
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: €0€HXत4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h$InternalNamecmTXoDLJMSotpSfNVSQrPUHsDUaarvA.exe(LegalCopyright p$OriginalFilenamecmTXoDLJMSotpSfNVSQrPUHsDUaarvA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x00000398
base_address: 0x0044e000
success 1 0
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: À =
process_handle: 0x00000398
base_address: 0x00450000
success 1 0
1619134524.472445
WriteProcessMemory
process_identifier: 2668
buffer: @
process_handle: 0x00000398
base_address: 0x7efde008
success 1 0
1619134524.472445
NtSetContextThread
thread_handle: 0x00000344
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4508942
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2668
success 0 0
1619134524.707445
NtResumeThread
thread_handle: 0x00000344
suspend_count: 1
process_identifier: 2668
success 0 0
1619134524.707445
NtResumeThread
thread_handle: 0x000003ac
suspend_count: 1
process_identifier: 392
success 0 0
1619134524.722445
NtGetContextThread
thread_handle: 0x000003ac
success 0 0
1619134524.722445
NtResumeThread
thread_handle: 0x000003ac
suspend_count: 1
process_identifier: 392
success 0 0
1619156386.501626
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2668
success 0 0
1619156386.501626
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2668
success 0 0
1619156386.547626
NtResumeThread
thread_handle: 0x00000164
suspend_count: 1
process_identifier: 2668
success 0 0
1619156388.954626
NtResumeThread
thread_handle: 0x000002e4
suspend_count: 1
process_identifier: 2668
success 0 0
1619156389.094626
NtResumeThread
thread_handle: 0x00000314
suspend_count: 1
process_identifier: 2668
success 0 0
1619156391.001626
NtResumeThread
thread_handle: 0x00000368
suspend_count: 1
process_identifier: 2668
success 0 0
1619156397.422626
NtResumeThread
thread_handle: 0x000003b4
suspend_count: 1
process_identifier: 2668
success 0 0
1619156425.672626
CreateProcessInternalW
thread_identifier: 176
thread_handle: 0x000003fc
process_identifier: 1664
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000040c
inherit_handles: 1
success 1 0
1619156431.454626
NtResumeThread
thread_handle: 0x00000430
suspend_count: 1
process_identifier: 2668
success 0 0
1619156431.516626
NtResumeThread
thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2668
success 0 0
1619156426.751124
NtResumeThread
thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 1664
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43178738
FireEye Generic.mg.048a9c56714917ab
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FTJ!048A9C567149
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 00566e7e1 )
Alibaba TrojanPSW:MSIL/Agensla.ebef5464
K7GW Trojan ( 00566e7e1 )
Cybereason malicious.d74495
Arcabit Trojan.Generic.D292DAF2
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.43178738
Paloalto generic.ml
AegisLab Trojan.MSIL.Agensla.i!c
Tencent Msil.Trojan-qqpass.Qqrob.Eoo
Ad-Aware Trojan.GenericKD.43178738
Emsisoft Trojan.GenericKD.43178738 (B)
Comodo Malware@#3jn4ypdihrtpx
F-Secure Trojan.TR/AD.AgentTesla.twnbz
DrWeb Trojan.Inject3.40215
TrendMicro TROJ_GEN.R06EC0PIA20
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Webroot W32.Trojan.Gen
Avira TR/AD.AgentTesla.twnbz
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:Win32/Occamy.AA
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.43178738
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R342574
BitDefenderTheta Gen:NN.ZemsilF.34670.Em0@a4ffgwp
MAX malware (ai score=81)
VBA32 CIL.HeapOverride.Heur
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.VYH
TrendMicro-HouseCall TROJ_GEN.R06EC0PIA20
Yandex Trojan.Igent.bTKV8M.6
Ikarus Trojan.MSIL.Inject
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/GenKryptik.EKSW!tr
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:PWSX-gen [Trj]
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-18 05:55:52

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.