SmartHawk

15.0

0-day

51 个模型检测该样本为恶意！

重新分析

下载样本

6c2fa9a9e49c002d659c7da5b809d0762b9fea676d3ce785675460335fe59af7

28ffa83affd82e017b6e666308ee013c.exe

分析耗时

99s

最近分析

文件大小

244.5KB

静态报毒动态报毒 AGENSLA AI SCORE=80 CONFIDENCE CXJDT ELDORADO FAREIT GDSDA GENERICKD GENERICRXKA GENKRYPTIK HIGH CONFIDENCE HUQH IBQQIJ KRYPT KXXISS9KJOI MALWARE@#1YO7ZOCS0WOI5 OCCAMY PCRYPT QQPASS QQROB R + TROJ R06EC0PI220 RANSOMX SCORE SIGGEN9 SUSGEN TROJANPSW TSCOPE UNSAFE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanPSW:Win32/Occamy.113c5e06	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:RansomX-gen [Ransom]	20201230	21.1.5827.0
Tencent	Msil.Trojan-qqpass.Qqrob.Huqh	20201230	1.0.0.1
Kingsoft		20201230	2017.9.26.565
McAfee	GenericRXKA-WH!28FFA83AFFD8	20201230	6.0.6.653
CrowdStrike	win/malicious_confidence_70% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619366946.832751 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619340473.9845 IsDebuggerPresent		failed	0	0

Command line console output was observed (50 out of 563 个事件)

Time & API	Arguments	Status	Return
1619366951.332751 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\hzJupOEjGnFo"。 console_handle: 0x00000007	success	1
1619366992.050001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.050001 WriteConsoleW	buffer: del console_handle: 0x00000007	success	1
1619366992.050001 WriteConsoleW	buffer: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.082001 WriteConsoleW	buffer: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe console_handle: 0x00000007	success	1
1619366992.207001 WriteConsoleW	buffer: 拒绝访问。 console_handle: 0x0000000b	success	1
1619366992.207001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.207001 WriteConsoleW	buffer: if console_handle: 0x00000007	success	1
1619366992.207001 WriteConsoleW	buffer: exist "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.207001 WriteConsoleW	buffer: goto console_handle: 0x00000007	success	1
1619366992.207001 WriteConsoleW	buffer: ktk console_handle: 0x00000007	success	1
1619366992.222001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.222001 WriteConsoleW	buffer: del console_handle: 0x00000007	success	1
1619366992.222001 WriteConsoleW	buffer: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.238001 WriteConsoleW	buffer: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe console_handle: 0x00000007	success	1
1619366992.238001 WriteConsoleW	buffer: 拒绝访问。 console_handle: 0x0000000b	success	1
1619366992.238001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.238001 WriteConsoleW	buffer: if console_handle: 0x00000007	success	1
1619366992.238001 WriteConsoleW	buffer: exist "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.238001 WriteConsoleW	buffer: goto console_handle: 0x00000007	success	1
1619366992.238001 WriteConsoleW	buffer: ktk console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: del console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: 拒绝访问。 console_handle: 0x0000000b	success	1
1619366992.253001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: if console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: exist "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: goto console_handle: 0x00000007	success	1
1619366992.253001 WriteConsoleW	buffer: ktk console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: del console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: 拒绝访问。 console_handle: 0x0000000b	success	1
1619366992.269001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: if console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: exist "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: goto console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: ktk console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: del console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe console_handle: 0x00000007	success	1
1619366992.269001 WriteConsoleW	buffer: 拒绝访问。 console_handle: 0x0000000b	success	1
1619366992.285001 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619366992.285001 WriteConsoleW	buffer: if console_handle: 0x00000007	success	1
1619366992.285001 WriteConsoleW	buffer: exist "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" console_handle: 0x00000007	success	1
1619366992.285001 WriteConsoleW	buffer: goto console_handle: 0x00000007	success	1

Tries to locate where the browsers are installed (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (36 个事件)

Time & API	Arguments	Status
1619340472.9065 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00960000	success
1619340472.9065 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b50000	success
1619340473.9225 NtProtectVirtualMemory	process_identifier: 1752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c51000	success
1619340473.9845 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042a000	success
1619340473.9845 NtProtectVirtualMemory	process_identifier: 1752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73c52000	success
1619340473.9845 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00422000	success
1619340474.3285 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00532000	success
1619340474.4065 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00533000	success
1619340474.4225 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056b000	success
1619340474.4225 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00567000	success
1619340474.5315 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053c000	success
1619340475.2505 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00534000	success
1619340475.2505 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00535000	success
1619340475.2975 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00536000	success
1619340475.3125 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00700000	success
1619340475.3915 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0054a000	success
1619340475.3915 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00547000	success
1619340475.4065 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0055a000	success
1619340475.4225 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042b000	success
1619340475.5625 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00546000	success
1619340475.6255 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00701000	success
1619340475.9845 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00af0000	success
1619340476.3595 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00552000	success
1619340476.3595 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0055c000	success
1619340476.4225 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00537000	success
1619340476.4375 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00565000	success
1619340476.4375 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0070b000	success
1619340476.5785 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00553000	success
1619340476.5945 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00538000	success
1619340476.9845 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b51000	success
1619340481.0945 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0070c000	success
1619340481.7035 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00af1000	success
1619340482.0475 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0053a000	success
1619340490.9535 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0070d000	success
1619340492.2345 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00af2000	success
1619340492.4225 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00423000	success

Steals private information from local Internet browsers (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Web Data
registry	HKEY_CURRENT_USER\Software\Opera Software

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\28957875.bat

Creates a suspicious process (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\hzJupOEjGnFo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB5AE.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hzJupOEjGnFo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB5AE.tmp"

Drops a binary and executes it (2 个事件)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\28957875.bat

A process created a hidden window (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619340483.2665 ShellExecuteExW	parameters: /Create /TN "Updates\hzJupOEjGnFo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB5AE.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0
1619366991.035499 ShellExecuteExW	parameters: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\28957875.bat filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\28957875.bat show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

6.956973846816682

section

{'size_of_data': '0x0003c600', 'virtual_address': '0x00002000', 'entropy': 6.956973846816682, 'name': '.text', 'virtual_size': '0x0003c4cc'}

description

A section with a high entropy has been found

entropy

0.9897540983606558

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (21 个事件)

Time & API	Arguments	Status	Return
1619340492.2345 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619366959.300499 LookupPrivilegeValueW	system_name: privilege_name: SeTcbPrivilege	success	1
1619366959.300499 LookupPrivilegeValueW	system_name: privilege_name: SeCreateTokenPrivilege	success	1
1619366959.300499 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1
1619366959.300499 LookupPrivilegeValueW	system_name: privilege_name: SeRestorePrivilege	success	1
1619366959.300499 LookupPrivilegeValueW	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	success	1
1619366990.769499 LookupPrivilegeValueW	system_name: privilege_name: SeTcbPrivilege	success	1
1619366990.769499 LookupPrivilegeValueW	system_name: privilege_name: SeCreateTokenPrivilege	success	1
1619366990.769499 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1
1619366990.769499 LookupPrivilegeValueW	system_name: privilege_name: SeRestorePrivilege	success	1
1619366990.769499 LookupPrivilegeValueW	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	success	1
1619366990.925499 LookupPrivilegeValueW	system_name: privilege_name: SeTcbPrivilege	success	1
1619366990.925499 LookupPrivilegeValueW	system_name: privilege_name: SeCreateTokenPrivilege	success	1
1619366990.925499 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1
1619366990.925499 LookupPrivilegeValueW	system_name: privilege_name: SeRestorePrivilege	success	1
1619366990.925499 LookupPrivilegeValueW	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	success	1
1619366990.957499 LookupPrivilegeValueW	system_name: privilege_name: SeTcbPrivilege	success	1
1619366990.957499 LookupPrivilegeValueW	system_name: privilege_name: SeCreateTokenPrivilege	success	1
1619366990.957499 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1
1619366990.957499 LookupPrivilegeValueW	system_name: privilege_name: SeRestorePrivilege	success	1
1619366990.957499 LookupPrivilegeValueW	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	success	1

Queries for potentially installed applications (36 个事件)

Time & API	Arguments	Status
1619366959.300499 RegOpenKeyExA	access: 0x02000000 base_handle: 0x80000002 key_handle: 0x00000134 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC options: 0	success
1619366959.300499 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000138 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC options: 0	success

Uses Windows utilities for basic Windows functionality (3 个事件)

cmdline	schtasks.exe /Create /TN "Updates\hzJupOEjGnFo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB5AE.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hzJupOEjGnFo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB5AE.tmp"
cmdline	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\28957875.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: 242aba73fda9ee44d1eb979f129a79b799d7faa9

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619340491.9845 NtAllocateVirtualMemory	process_identifier: 1688 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000338 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Deletes executed files from disk (1 个事件)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Harvests credentials from local FTP client softwares (50 out of 120 个事件)

file	C:\Program Files (x86)\CuteFTP\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\CuteFTP\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\CuteFTP\sm.dat
file	C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat
file	C:\ProgramData\CuteFTP\sm.dat
file	C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat
file	C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat
file	C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat
file	C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat
file	C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\History.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\History.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\Sites.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\Sites.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\History.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\4\Quick.dat
file	C:\ProgramData\FlashFXP\3\History.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\Quick.dat
file	C:\ProgramData\FlashFXP\4\History.dat
file	C:\ProgramData\FlashFXP\3\Sites.dat
file	C:\ProgramData\FlashFXP\4\Quick.dat
file	C:\ProgramData\FlashFXP\4\Sites.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\Sites.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\3\Quick.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\Quick.dat
file	C:\ProgramData\FlashFXP\3\Quick.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FlashFXP\3\Sites.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\FlashFXP\4\History.dat
file	C:\ProgramData\GHISLER\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Local\GHISLER\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite
file	C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs
file	C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs
file	C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings.ccs
file	C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite
file	C:\ProgramData\CoffeeCup Software\SharedSettings.ccs
file	C:\Users\Administrator.Oskar-PC\AppData\Local\CoffeeCup Software\SharedSettings.sqlite
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite

Potential code injection by writing to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619340492.0165 WriteProcessMemory	process_identifier: 1688 buffer: aPLib v1.01 - the smaller the better :) Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved. More information: http://www.ibsensoftware.com/ ½·NkÁ%-öÖTìÝ¢b-oW- DhäHzS process_handle: 0x00000338 base_address: 0x00413000	success	1	0
1619340492.0165 WriteProcessMemory	process_identifier: 1688 buffer: @ process_handle: 0x00000338 base_address: 0x7efde008	success	1	0

Collects information about installed applications (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619366959.300499 RegQueryValueExA	key_handle: 0x00000138 value: Google Chrome regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	success	0	0

Harvests credentials from local email clients (7 个事件)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Salt
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Poco Systems Inc

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1752 called NtSetContextThread to modify thread in remote process 1688
1619340492.0165 NtSetContextThread	thread_handle: 0x0000038c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4261409 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1688	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1752 resumed a thread in remote process 1688
1619340492.0475 NtResumeThread	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 1688	success	0	0

Executed a process and injected code into it, probably while unpacking (16 个事件)

Time & API	Arguments	Status	Return
1619340473.9845 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1752	success	0
1619340474.0475 NtResumeThread	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 1752	success	0
1619340481.7035 NtResumeThread	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 1752	success	0
1619340483.2665 CreateProcessInternalW	thread_identifier: 1804 thread_handle: 0x00000344 process_identifier: 2440 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hzJupOEjGnFo" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpB5AE.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000037c inherit_handles: 0	success	1
1619340491.9225 CreateProcessInternalW	thread_identifier: 1880 thread_handle: 0x0000038c process_identifier: 1688 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000338 inherit_handles: 0	success	1
1619340491.9695 NtGetContextThread	thread_handle: 0x0000038c	success	0
1619340491.9845 NtAllocateVirtualMemory	process_identifier: 1688 region_size: 102400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000338 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619340491.9845 WriteProcessMemory	process_identifier: 1688 buffer: process_handle: 0x00000338 base_address: 0x00400000	success	1
1619340492.0165 WriteProcessMemory	process_identifier: 1688 buffer: process_handle: 0x00000338 base_address: 0x00401000	success	1
1619340492.0165 WriteProcessMemory	process_identifier: 1688 buffer: aPLib v1.01 - the smaller the better :) Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved. More information: http://www.ibsensoftware.com/ ½·NkÁ%-öÖTìÝ¢b-oW- DhäHzS process_handle: 0x00000338 base_address: 0x00413000	success	1
1619340492.0165 WriteProcessMemory	process_identifier: 1688 buffer: process_handle: 0x00000338 base_address: 0x00414000	success	1
1619340492.0165 WriteProcessMemory	process_identifier: 1688 buffer: @ process_handle: 0x00000338 base_address: 0x7efde008	success	1
1619340492.0165 NtSetContextThread	thread_handle: 0x0000038c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4261409 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1688	success	0
1619340492.0475 NtResumeThread	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 1688	success	0
1619340492.0475 NtResumeThread	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 1752	success	0
1619366991.035499 CreateProcessInternalW	thread_identifier: 1704 thread_handle: 0x0000035c process_identifier: 916 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\28957875.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000003a0 inherit_handles: 0	success	1

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.33608683
FireEye	Generic.mg.28ffa83affd82e01
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Spyware.Infostealer.Fareit
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 00563fb21 )
Alibaba	TrojanPSW:Win32/Occamy.113c5e06
K7GW	Trojan ( 00563fb21 )
Cybereason	malicious.affd82
Arcabit	Trojan.Generic.D200D3EB
Cyren	W32/MSIL_Agent.BEX.gen!Eldorado
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:RansomX-gen [Ransom]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.33608683
NANO-Antivirus	Trojan.Win32.Agensla.ibqqij
Paloalto	generic.ml
AegisLab	Trojan.Multi.Generic.4!c
Tencent	Msil.Trojan-qqpass.Qqrob.Huqh
Ad-Aware	Trojan.GenericKD.33608683
Sophos	Mal/Generic-R + Troj/Fareit-KFD
Comodo	Malware@#1yo7zocs0woi5
DrWeb	Trojan.Siggen9.33345
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06EC0PI220
McAfee-GW-Edition	GenericRXKA-WH!28FFA83AFFD8
Emsisoft	Trojan.GenericKD.33608683 (B)
Webroot	W32.Trojan.Gen
Avira	TR/AD.Fareit.cxjdt
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Microsoft	Trojan:Win32/Occamy.C6C
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.33608683
Cynet	Malicious (score: 85)
AhnLab-V3	Backdoor/Win32.Infostealer.C4042645
McAfee	GenericRXKA-WH!28FFA83AFFD8
MAX	malware (ai score=80)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.PCrypt.MSIL.Generic
TrendMicro-HouseCall	TROJ_GEN.R06EC0PI220
Yandex	Trojan.GenKryptik!KXXISS9kjoI
Ikarus	Trojan.MSIL.Krypt
MaxSecure	Trojan.Malware.74499699.susgen
Fortinet	MSIL/Agent.2483!tr
AVG	Win32:RansomX-gen [Ransom]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_70% (W)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443
dead_host	35.205.61.67:80

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-04 08:17:59

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
kanavagronomy.in	A 35.205.61.67	35.205.61.67
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 216.58.200.238	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57236	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.