SmartHawk

15.2

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

119b5245ce5d74924a8b9197fab672d520bdca56364b0a2826f76ecec1855501

2123928988d4a6b3dee458930029c031.exe

分析耗时

81s

最近分析

文件大小

640.0KB

静态报毒动态报毒 AGEN AGENTTESLA AI SCORE=85 ALI2000008 ATTRIBUTE AWFM CONFIDENCE CSHARP ELDORADO FAREIT G8KYMKS9PSA GDSDA GENERICKDZ GOLROTED HAWKEYE HAWKEYEKEYLOGGER HEYE HIGH CONFIDENCE HIGHCONFIDENCE HNAX HQQFDH INJECT3 INJECTORX KRYPTIK MALICIOUS PE MALWARE@#1GKY93YRKY9H2 MXRESICN OMW@AGAQBBH R347368 SCORE STATIC AI THJOIBO UNSAFE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/csharp.ali2000008	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:InjectorX-gen [Trj]	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
McAfee	Fareit-FVK!2123928988D4	20201211	6.0.6.653
Tencent	Msil.Trojan-spy.Heye.Hnax	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_80% (W)	20190702	1.0

Queries for the computername (13 个事件)

Time & API	Arguments	Status	Return
1619277007.387125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277007.653125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277007.669125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277007.700125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277007.715125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277007.731125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277008.856125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277008.903125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277022.809125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277022.981125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277028.325125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277028.372125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619277017.247 GetComputerNameA	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269224.753241 IsDebuggerPresent		failed	0	0
1619269224.753241 IsDebuggerPresent		failed	0	0
1619276990.231125 IsDebuggerPresent		failed	0	0
1619276990.231125 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269224.784241 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619277008.919125 __exception__	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31 IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141 OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db system+0x577bfc @ 0x718e7bfc system+0x7a0f66 @ 0x70ea0f66 system+0x7a092c @ 0x70ea092c system+0x7a058e @ 0x70ea058e system+0x79e700 @ 0x70e9e700 system+0x79d843 @ 0x70e9d843 system+0x79d8b1 @ 0x70e9d8b1 0x5f44d85 0x9a4368 system+0x216fb6 @ 0x70916fb6 0x29b09e5 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a 0x5f43c64 0x9a5911 0x74a315 system+0x222b78 @ 0x70922b78 system+0x222650 @ 0x70922650 system+0x2157c3 @ 0x709157c3 system+0x2155c0 @ 0x709155c0 system+0x221537 @ 0x70921537 system+0x217408 @ 0x70917408 system+0x2202aa @ 0x709202aa system+0x221460 @ 0x70921460 system+0x220129 @ 0x70920129 system+0x2170f3 @ 0x709170f3 system+0x217071 @ 0x70917071 system+0x216fb6 @ 0x70916fb6 0x29b09e5 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5 system+0x23252c @ 0x7093252c system+0xaec65d @ 0x711ec65d system+0x212c60 @ 0x70912c60 system+0x226d9d @ 0x70926d9d system+0x226c81 @ 0x70926c81 0x9a3095 0x9a2bd7 0x9a0ce9 0x9a0135 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 registers.esp: 1368348 registers.edi: 5177344 registers.eax: 4294967288 registers.ebp: 1368392 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 5177344 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77da9e58	success	0	0
1619277029.825125 __exception__	stacktrace: 0x6e117b3 mscorlib+0x2aae5b @ 0x71ebae5b mscorlib+0x234db5 @ 0x71e44db5 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 LogHelp_TerminateOnAssert+0x42ba0 StrongNameErrorInfo-0x452fa clr+0x9f5f8 @ 0x73f0f5f8 LogHelp_TerminateOnAssert+0x42cf7 StrongNameErrorInfo-0x451a3 clr+0x9f74f @ 0x73f0f74f mscorlib+0x234cba @ 0x71e44cba mscorlib+0x237f34 @ 0x71e47f34 mscorlib+0x2aade8 @ 0x71ebade8 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 GetPrivateContextsPerfCounters+0x8a13 PreBindAssemblyEx-0xb234 clr+0x19b512 @ 0x7400b512 LogHelp_TerminateOnAssert+0x591ad StrongNameErrorInfo-0x2eced clr+0xb5c05 @ 0x73f25c05 LogHelp_TerminateOnAssert+0x5922f StrongNameErrorInfo-0x2ec6b clr+0xb5c87 @ 0x73f25c87 LogHelp_TerminateOnAssert+0x592ea StrongNameErrorInfo-0x2ebb0 clr+0xb5d42 @ 0x73f25d42 LogHelp_TerminateOnAssert+0x59381 StrongNameErrorInfo-0x2eb19 clr+0xb5dd9 @ 0x73f25dd9 GetPrivateContextsPerfCounters+0x88e6 PreBindAssemblyEx-0xb361 clr+0x19b3e5 @ 0x7400b3e5 GetPrivateContextsPerfCounters+0x87e1 PreBindAssemblyEx-0xb466 clr+0x19b2e0 @ 0x7400b2e0 LogHelp_TerminateOnAssert+0x58fb0 StrongNameErrorInfo-0x2eeea clr+0xb5a08 @ 0x73f25a08 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 134603160 registers.edi: 134603248 registers.eax: 0 registers.ebp: 134603264 registers.edx: 8 registers.ebx: 0 registers.esi: 46287180 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 98 8b 45 98 89 45 cc exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6e11ebb	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619277008.919125
__exception__

stacktrace:

_vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31
IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141
OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d
ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db
system+0x577bfc @ 0x718e7bfc
system+0x7a0f66 @ 0x70ea0f66
system+0x7a092c @ 0x70ea092c
system+0x7a058e @ 0x70ea058e
system+0x79e700 @ 0x70e9e700
system+0x79d843 @ 0x70e9d843
system+0x79d8b1 @ 0x70e9d8b1
0x5f44d85
0x9a4368
system+0x216fb6 @ 0x70916fb6
0x29b09e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
0x5f43c64
0x9a5911
0x74a315
system+0x222b78 @ 0x70922b78
system+0x222650 @ 0x70922650
system+0x2157c3 @ 0x709157c3
system+0x2155c0 @ 0x709155c0
system+0x221537 @ 0x70921537
system+0x217408 @ 0x70917408
system+0x2202aa @ 0x709202aa
system+0x221460 @ 0x70921460
system+0x220129 @ 0x70920129
system+0x2170f3 @ 0x709170f3
system+0x217071 @ 0x70917071
system+0x216fb6 @ 0x70916fb6
0x29b09e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
system+0x23252c @ 0x7093252c
system+0xaec65d @ 0x711ec65d
system+0x212c60 @ 0x70912c60
system+0x226d9d @ 0x70926d9d
system+0x226c81 @ 0x70926c81
0x9a3095
0x9a2bd7
0x9a0ce9
0x9a0135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2

registers.esp: 1368348
registers.edi: 5177344
registers.eax: 4294967288
registers.ebp: 1368392
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 5177344
exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84
exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58
exception.instruction: cmp byte ptr [eax + 7], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 499288
exception.address: 0x77da9e58

success

1619277029.825125
__exception__

stacktrace:

0x6e117b3
mscorlib+0x2aae5b @ 0x71ebae5b
mscorlib+0x234db5 @ 0x71e44db5
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
LogHelp_TerminateOnAssert+0x42ba0 StrongNameErrorInfo-0x452fa clr+0x9f5f8 @ 0x73f0f5f8
LogHelp_TerminateOnAssert+0x42cf7 StrongNameErrorInfo-0x451a3 clr+0x9f74f @ 0x73f0f74f
mscorlib+0x234cba @ 0x71e44cba
mscorlib+0x237f34 @ 0x71e47f34
mscorlib+0x2aade8 @ 0x71ebade8
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
GetPrivateContextsPerfCounters+0x8a13 PreBindAssemblyEx-0xb234 clr+0x19b512 @ 0x7400b512
LogHelp_TerminateOnAssert+0x591ad StrongNameErrorInfo-0x2eced clr+0xb5c05 @ 0x73f25c05
LogHelp_TerminateOnAssert+0x5922f StrongNameErrorInfo-0x2ec6b clr+0xb5c87 @ 0x73f25c87
LogHelp_TerminateOnAssert+0x592ea StrongNameErrorInfo-0x2ebb0 clr+0xb5d42 @ 0x73f25d42
LogHelp_TerminateOnAssert+0x59381 StrongNameErrorInfo-0x2eb19 clr+0xb5dd9 @ 0x73f25dd9
GetPrivateContextsPerfCounters+0x88e6 PreBindAssemblyEx-0xb361 clr+0x19b3e5 @ 0x7400b3e5
GetPrivateContextsPerfCounters+0x87e1 PreBindAssemblyEx-0xb466 clr+0x19b2e0 @ 0x7400b2e0
LogHelp_TerminateOnAssert+0x58fb0 StrongNameErrorInfo-0x2eeea clr+0xb5a08 @ 0x73f25a08
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 134603160
registers.edi: 134603248
registers.eax: 0
registers.ebp: 134603264
registers.edx: 8
registers.ebx: 0
registers.esi: 46287180
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 98 8b 45 98 89 45 cc
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6e11ebb

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 个事件)

Time & API	Arguments	Status	Return
1619276991.840125 bind	ip_address: 127.0.0.1 socket: 696 port: 0	success	0
1619276991.840125 listen	socket: 696 backlog: 2147483647	success	0
1619276991.840125 accept	ip_address: 127.0.0.1 socket: 696 port: 0	failed	4294967295

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://whatismyipaddress.com/

Performs some HTTP requests (1 个事件)

request

GET http://whatismyipaddress.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 144 个事件)

Time & API	Arguments	Status
1619269223.925241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00230000	success
1619269223.925241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00250000	success
1619269224.471241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x003e0000	success
1619269224.471241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f0000	success
1619269224.596241 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619269224.753241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02200000	success
1619269224.753241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02370000	success
1619269224.753241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002da000	success
1619269224.753241 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619269224.753241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x002d2000	success
1619269224.956241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e2000	success
1619269225.065241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00445000	success
1619269225.065241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044b000	success
1619269225.065241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00447000	success
1619269225.159241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e3000	success
1619269225.206241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ec000	success
1619269225.268241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e0000	success
1619269225.300241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00436000	success
1619269225.315241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043a000	success
1619269225.315241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00437000	success
1619269225.440241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e4000	success
1619269225.706241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e5000	success
1619269225.846241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005e1000	success
1619269225.956241 NtAllocateVirtualMemory	process_identifier: 732 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006f0000	success
1619276990.184125 NtProtectVirtualMemory	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75261000	success
1619276990.184125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00840000	success
1619276990.184125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00940000	success
1619276990.215125 NtProtectVirtualMemory	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619276990.215125 NtProtectVirtualMemory	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x751a1000	success
1619276990.215125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02850000	success
1619276990.215125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x029b0000	success
1619276990.215125 NtProtectVirtualMemory	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619276990.231125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x029f0000	success
1619276990.231125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02bc0000	success
1619276990.231125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0074a000	success
1619276990.231125 NtProtectVirtualMemory	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619276990.231125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00742000	success
1619276990.262125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00752000	success
1619276990.278125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00775000	success
1619276990.278125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0077b000	success
1619276990.278125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00777000	success
1619276990.294125 NtProtectVirtualMemory	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x755f1000	success
1619276990.325125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00753000	success
1619276990.340125 NtProtectVirtualMemory	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x747f1000	success
1619276990.419125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00754000	success
1619276990.419125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00755000	success
1619276990.419125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0075c000	success
1619276990.434125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009a0000	success
1619276990.700125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00756000	success
1619276990.700125 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00758000	success

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619277022.66875 GetDiskFreeSpaceW	root_path: C: sectors_per_cluster: 8362495 number_of_free_clusters: 8362495 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1	0
1619277022.69975 GetDiskFreeSpaceW	root_path: C: sectors_per_cluster: 8362495 number_of_free_clusters: 8362495 total_number_of_clusters: 8362495 bytes_per_sector: 512	success	1	0

Steals private information from local Internet browsers (50 out of 58 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\AutofillStates\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crowd Deny\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crowd Deny\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Safe Browsing\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\hyphen-data\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Floc\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\GrShaderCache\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Floc\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\hyphen-data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SafetyTips\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SafetyTips\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\GrShaderCache\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\MEIPreload\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\MEIPreload\Web Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data

Looks up the external IP address (1 个事件)

domain

whatismyipaddress.com

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619277002.872125 GetAdaptersAddresses	flags: 1158 family: 0	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.189624177323174

section

{'size_of_data': '0x0009fa00', 'virtual_address': '0x00002000', 'entropy': 7.189624177323174, 'name': '.text', 'virtual_size': '0x0009f9e4'}

description

A section with a high entropy has been found

entropy

0.9984362783424551

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619277008.512125 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619277011.762125 NtAllocateVirtualMemory	process_identifier: 3048 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000046c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0
1619277021.512125 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003ac allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

RegAsm.exe tried to sleep 2728239 seconds, actually delayed analysis time by 2728239 seconds

Attempts to access Bitcoin/ALTCoin wallets (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\bitcoin\wallet.dat

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\holderwb.txt

Executes one or more WMI queries (3 个事件)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM FirewallProduct
wmi	select * from Win32_OperatingSystem

Harvests information related to installed instant messenger clients (1 个事件)

registry

HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Manipulates memory of a non-child process indicative of process injection (3 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 manipulating memory of non-child process 2620
1619269226.284241 NtAllocateVirtualMemory	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000224 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619269226.284241 NtAllocateVirtualMemory	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000224 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619277008.575125 SetWindowsHookExA	thread_identifier: 0 callback_function: 0x029c698a module_address: 0x00400000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	1180053	0

Harvests credentials from local email clients (6 个事件)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry	HKEY_CURRENT_USER\Identities\{586FBF3B-F35E-46E2-9DB8-9E15DC75E9A1}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 called NtSetContextThread to modify thread in remote process 3048
Process injection	Process 2136 called NtSetContextThread to modify thread in remote process 1244
1619277011.762125 NtSetContextThread	thread_handle: 0x000004e0 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4265556 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3048	success	0	0
1619277021.512125 NtSetContextThread	thread_handle: 0x00000590 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4466216 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1244	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2136 resumed a thread in remote process 3048
Process injection	Process 2136 resumed a thread in remote process 1244
1619277011.950125 NtResumeThread	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 3048	success	0	0
1619277021.684125 NtResumeThread	thread_handle: 0x00000590 suspend_count: 1 process_identifier: 1244	success	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 个事件)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Executed a process and injected code into it, probably while unpacking (44 个事件)

Time & API	Arguments	Status	Return
1619269224.753241 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 732	success	0
1619269224.768241 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 732	success	0
1619269224.784241 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 732	success	0
1619269225.487241 NtResumeThread	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 732	success	0
1619269226.284241 NtAllocateVirtualMemory	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000224 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0
1619269226.284241 NtAllocateVirtualMemory	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000224 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0
1619269226.378241 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000230 allocation_type: 4096 (MEM_COMMIT) base_address: 0x001e0000	success	0
1619269226.393241 NtAllocateVirtualMemory	process_identifier: 2136 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000230 allocation_type: 4096 (MEM_COMMIT) base_address: 0x001f0000	success	0
1619276990.231125 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2136	success	0
1619276990.231125 NtResumeThread	thread_handle: 0x000001b8 suspend_count: 1 process_identifier: 2136	success	0
1619276990.247125 NtResumeThread	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2136	success	0
1619276991.856125 NtResumeThread	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 2136	success	0
1619277003.387125 NtResumeThread	thread_handle: 0x0000048c suspend_count: 1 process_identifier: 2136	success	0
1619277007.403125 NtResumeThread	thread_handle: 0x000004f4 suspend_count: 1 process_identifier: 2136	success	0
1619277007.481125 NtResumeThread	thread_handle: 0x00000540 suspend_count: 1 process_identifier: 2136	success	0
1619277007.700125 NtResumeThread	thread_handle: 0x000005a4 suspend_count: 1 process_identifier: 2136	success	0
1619277007.747125 NtResumeThread	thread_handle: 0x000005bc suspend_count: 1 process_identifier: 2136	success	0
1619277007.747125 NtResumeThread	thread_handle: 0x000005d0 suspend_count: 1 process_identifier: 2136	success	0
1619277007.778125 NtResumeThread	thread_handle: 0x000005e4 suspend_count: 1 process_identifier: 2136	success	0
1619277008.372125 NtResumeThread	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2136	success	0
1619277008.403125 NtResumeThread	thread_handle: 0x00000614 suspend_count: 1 process_identifier: 2136	success	0
1619277008.450125 NtResumeThread	thread_handle: 0x00000624 suspend_count: 1 process_identifier: 2136	success	0
1619277008.465125 NtResumeThread	thread_handle: 0x0000063c suspend_count: 1 process_identifier: 2136	success	0
1619277008.575125 NtResumeThread	thread_handle: 0x00000650 suspend_count: 1 process_identifier: 2136	success	0
1619277008.887125 NtResumeThread	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 2136	success	0
1619277011.403125 NtResumeThread	thread_handle: 0x00000540 suspend_count: 1 process_identifier: 2136	success	0
1619277011.762125 CreateProcessInternalW	thread_identifier: 2244 thread_handle: 0x000004e0 process_identifier: 3048 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\holdermail.txt" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000046c inherit_handles: 0	success	1
1619277011.762125 NtUnmapViewOfSection	process_identifier: 3048 region_size: 4096 process_handle: 0x0000046c base_address: 0x00400000	success	0
1619277011.762125 NtAllocateVirtualMemory	process_identifier: 3048 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000046c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619277011.762125 NtGetContextThread	thread_handle: 0x000004e0	success	0
1619277011.762125 NtSetContextThread	thread_handle: 0x000004e0 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4265556 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3048	success	0
1619277011.950125 NtResumeThread	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 3048	success	0
1619277021.403125 NtResumeThread	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2136	success	0
1619277021.512125 CreateProcessInternalW	thread_identifier: 2168 thread_handle: 0x00000590 process_identifier: 1244 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\holderwb.txt" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000003ac inherit_handles: 0	success	1
1619277021.512125 NtUnmapViewOfSection	process_identifier: 1244 region_size: 4096 process_handle: 0x000003ac base_address: 0x00400000	success	0
1619277021.512125 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 360448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003ac allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619277021.512125 NtGetContextThread	thread_handle: 0x00000590	success	0
1619277021.512125 NtSetContextThread	thread_handle: 0x00000590 registers.eip: 2010382788 registers.esp: 1638384 registers.edi: 0 registers.eax: 4466216 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1244	success	0
1619277021.684125 NtResumeThread	thread_handle: 0x00000590 suspend_count: 1 process_identifier: 1244	success	0
1619277022.809125 NtResumeThread	thread_handle: 0x000006ac suspend_count: 1 process_identifier: 2136	success	0
1619277028.340125 NtResumeThread	thread_handle: 0x000006dc suspend_count: 1 process_identifier: 2136	success	0
1619277036.419125 NtResumeThread	thread_handle: 0x000006c4 suspend_count: 1 process_identifier: 2136	success	0
1619277017.231 NtResumeThread	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 3048	success	0
1619277021.96475 NtResumeThread	thread_handle: 0x00000100 suspend_count: 1 process_identifier: 1244	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69253
FireEye	Generic.mg.2123928988d4a6b3
ALYac	Trojan.Agent.HawkEye
Malwarebytes	Spyware.HawkEyeKeyLogger
Zillya	Trojan.Kryptik.Win32.2360825
Sangfor	Malware
K7AntiVirus	Trojan ( 0056081c1 )
Alibaba	Trojan:Win32/csharp.ali2000008
K7GW	Trojan ( 0056081c1 )
Cybereason	malicious.988d4a
Arcabit	Trojan.Generic.D10E85
Cyren	W32/MSIL_Kryptik.BIF.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.MSIL.Heye.gen
BitDefender	Trojan.GenericKDZ.69253
NANO-Antivirus	Trojan.Win32.Heye.hqqfdh
Avast	Win32:InjectorX-gen [Trj]
Ad-Aware	Trojan.GenericKDZ.69253
Emsisoft	Trojan.GenericKDZ.69253 (B)
Comodo	Malware@#1gky93yrky9h2
F-Secure	Heuristic.HEUR/AGEN.1106069
DrWeb	Trojan.Inject3.48374
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Worm.MSIL.GOLROTED.THJOIBO
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
MaxSecure	Win.MxResIcn.Heur.Gen
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Jiangmin	TrojanSpy.MSIL.awfm
Avira	HEUR/AGEN.1106069
MAX	malware (ai score=85)
Antiy-AVL	Trojan/MSIL.Kryptik
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:MSIL/AgentTesla.M!MTB
AegisLab	Trojan.MSIL.Heye.l!c
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Heye.gen
GData	Trojan.GenericKDZ.69253
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Kryptik.R347368
Acronis	suspicious
McAfee	Fareit-FVK!2123928988D4
Cylance	Unsafe
ESET-NOD32	a variant of MSIL/Kryptik.WOX
TrendMicro-HouseCall	Worm.MSIL.GOLROTED.THJOIBO
Tencent	Msil.Trojan-spy.Heye.Hnax
Yandex	Trojan.Kryptik!G8kyMks9PsA
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.WOU!tr

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-05 13:31:41

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
whatismyipaddress.com	A 104.16.154.36 A 104.16.155.36	104.16.154.36
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49178	104.16.154.36 whatismyipaddress.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

URI	Data
http://whatismyipaddress.com/	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.