SmartHawk

11.4

0-day

58 个模型检测该样本为恶意！

重新分析

下载样本

6ba80c4c0298efdf3e6a1cc0813f5e471cd41b33940a64b7507ddf715912401e

2f70e8a5b8655e094a4fb445b5ba8c42.exe

分析耗时

99s

最近分析

文件大小

108.0KB

静态报毒动态报毒 100% AI SCORE=89 ATTRIBUTE CLASSIC CONFIDENCE CSSZ ELDORADO GDSDA GENERICRXHS GIW@AU3S6 HGYFJB HIGH CONFIDENCE HIGHCONFIDENCE HUFW MALICIOUS PE MALWARE@#2MB73A5S0BMHZ MSILPERSEUS R + MAL RATX REVENGE REVENGERAT REVET REVETRAT REVETRATNET RRATFC S17035669 SCORE STATIC AI SUSGEN SZTDZ3MMI1U TSCOPE UNSAFE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXHS-HG!2F70E8A5B865	20201229	6.0.6.653
Alibaba	Backdoor:MSIL/RevengeRat.d6038af4	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:RATX-gen [Trj]	20201229	21.1.5827.0
Tencent	Msil.Backdoor.Revenge.Hufw	20201229	1.0.0.1
Kingsoft		20201229	2017.9.26.565

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619362232.311 GetComputerNameW	computer_name: OSKAR-PC	success	1	0
1619362267.248625 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (6 个事件)

Time & API	Arguments	Status	Return	Repeated
1619340033.800021 IsDebuggerPresent		failed	0	0
1619362217.076 IsDebuggerPresent		failed	0	0
1619362227.56125 IsDebuggerPresent		failed	0	0
1619362265.889625 IsDebuggerPresent		failed	0	0
1619362267.076625 IsDebuggerPresent		failed	0	0
1619362267.529875 IsDebuggerPresent		failed	0	0

Command line console output was observed (4 个事件)

Time & API	Arguments	Status	Return
1619362231.43625 WriteConsoleA	buffer: Microsoft (R) Éú³ÉÒýÇæ°æ±¾ 2.0.50727.5420 [Microsoft .NET Framework °æ±¾ 2.0.50727.5420] °æÈ¨ËùÓÐ(C) Microsoft Corporation 2005¡£ ±£ÁôËùÓÐÈ¨Àû¡£ console_handle: 0x00000007	success	1
1619362231.59225 WriteConsoleA	buffer: MSBUILD : ´íÎó MSB1003: ÇëÖ¸¶¨ÏîÄ¿»ò½â¾ö·½°¸ÎÄ¼þ¡£µ±Ç°¹¤×÷Ä¿Â¼ÖÐÎ´°üº¬ÏîÄ¿»ò½â¾ö·½°¸ÎÄ¼þ¡£ console_handle: 0x00000007	success	1
1619362267.670875 WriteConsoleA	buffer: Microsoft (R) Éú³ÉÒýÇæ°æ±¾ 2.0.50727.5420 [Microsoft .NET Framework °æ±¾ 2.0.50727.5420] °æÈ¨ËùÓÐ(C) Microsoft Corporation 2005¡£ ±£ÁôËùÓÐÈ¨Àû¡£ console_handle: 0x00000007	success	1
1619362267.670875 WriteConsoleA	buffer: MSBUILD : ´íÎó MSB1003: ÇëÖ¸¶¨ÏîÄ¿»ò½â¾ö·½°¸ÎÄ¼þ¡£µ±Ç°¹¤×÷Ä¿Â¼ÖÐÎ´°üº¬ÏîÄ¿»ò½â¾ö·½°¸ÎÄ¼þ¡£ console_handle: 0x00000007	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619340034.081021 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 206 个事件)

Time & API	Arguments	Status
1619340030.910021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x0000000000770000	success
1619340030.910021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000000790000	success
1619340033.503021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b41000	success
1619340033.753021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbe000	success
1619340033.753021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbe000	success
1619340033.800021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbf000	success
1619340033.800021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbf000	success
1619340033.800021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbf000	success
1619340033.800021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbf000	success
1619340033.800021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbf000	success
1619340033.800021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbf000	success
1619340033.800021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbf000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbf000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc0000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc0000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc0000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc0000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc0000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc1000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc1000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc1000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dc1000	success
1619340033.816021 NtProtectVirtualMemory	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1dbe000	success
1619340034.488021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00042000	success
1619340034.660021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x000007fffff10000	success
1619340034.660021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007fffff10000	success
1619340034.660021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007fffff10000	success
1619340034.660021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x000007fffff00000	success
1619340034.660021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007fffff00000	success
1619340034.660021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff000fa000	success
1619340034.675021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00032000	success
1619340034.972021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00043000	success
1619340034.972021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff0010a000	success
1619340034.972021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00132000	success
1619340034.972021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff0010d000	success
1619340034.988021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff0004c000	success
1619340036.706021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00044000	success
1619340036.863021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00046000	success
1619340043.566021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00180000	success
1619340043.878021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff000fb000	success
1619340044.066021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff000f2000	success
1619340044.175021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00047000	success
1619340044.269021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff0004a000	success
1619340044.269021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff0005f000	success
1619340044.550021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff001c0000	success
1619340044.644021 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00181000	success
1619362215.654 NtAllocateVirtualMemory	process_identifier: 1824 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00610000	success
1619362215.654 NtAllocateVirtualMemory	process_identifier: 1824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a0000	success
1619362216.92 NtProtectVirtualMemory	process_identifier: 1824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73a41000	success
1619362217.076 NtAllocateVirtualMemory	process_identifier: 1824 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ba000	success

Creates executable files on the filesystem (7 个事件)

file	C:\Documents and Settings.exe
file	C:\PerfLogs.exe
file	C:\$Recycle.Bin.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9eky7nqc.0.vb
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\imb4a7jc.0.vb
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\qay-ndwf.0.vb
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\viavarah.0.vb

Creates a suspicious process (2 个事件)

cmdline	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe"
cmdline	C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 个事件)

Time & API	Arguments	Status	Return
1619340044.347021 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619362225.123 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619362266.701625 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619362267.123625 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1

Created a process named as a common system process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619362265.436 CreateProcessInternalW	thread_identifier: 3080 thread_handle: 0x0000046c process_identifier: 3076 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000004c8 inherit_handles: 0	success	1	0
1619362265.436 ShellExecuteExW	parameters: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe show_type: 1	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619340070.425021 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1948 process_handle: 0x00000000000001f4	failed	0	0
1619362271.139625 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3076 process_handle: 0x00000000000001ec	failed	0	0

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: a8083ee691ab977db65d082a445cf4e4cf47e00a

Allocates execute permission to another process indicative of possible code injection (4 个事件)

Time & API	Arguments	Status
1619340044.988021 NtAllocateVirtualMemory	process_identifier: 1824 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000000000001ec allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x0000000000400000	success
1619362226.983 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000204 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success
1619362266.842625 NtAllocateVirtualMemory	process_identifier: 3112 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000000000001e4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x0000000000400000	success
1619362267.170625 NtAllocateVirtualMemory	process_identifier: 2152 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000208 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\viavarah.cmdline

Potential code injection by writing to the memory of another process (8 个事件)

Time & API	Arguments	Status	Return
1619340044.988021 WriteProcessMemory	process_identifier: 1824 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷oz^à¬ÎË à@ @xËSà H.textÔ« ¬ `.relocà®@B process_handle: 0x00000000000001ec base_address: 0x0000000000400000	success	1
1619340045.003021 WriteProcessMemory	process_identifier: 1824 buffer: ÀÐ; process_handle: 0x00000000000001ec base_address: 0x000000000041e000	success	1
1619340045.003021 WriteProcessMemory	process_identifier: 1824 buffer: @ process_handle: 0x00000000000001ec base_address: 0x000000007efde008	success	1
1619362226.998 WriteProcessMemory	process_identifier: 2056 buffer: @ process_handle: 0x00000204 base_address: 0x7efde008	success	1
1619362266.858625 WriteProcessMemory	process_identifier: 3112 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷oz^à¬ÎË à@ @xËSà H.textÔ« ¬ `.relocà®@B process_handle: 0x00000000000001e4 base_address: 0x0000000000400000	success	1
1619362266.858625 WriteProcessMemory	process_identifier: 3112 buffer: ÀÐ; process_handle: 0x00000000000001e4 base_address: 0x000000000041e000	success	1
1619362266.858625 WriteProcessMemory	process_identifier: 3112 buffer: @ process_handle: 0x00000000000001e4 base_address: 0x000000007efde008	success	1
1619362267.170625 WriteProcessMemory	process_identifier: 2152 buffer: @ process_handle: 0x00000208 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619340044.988021 WriteProcessMemory	process_identifier: 1824 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷oz^à¬ÎË à@ @xËSà H.textÔ« ¬ `.relocà®@B process_handle: 0x00000000000001ec base_address: 0x0000000000400000	success	1	0
1619362266.858625 WriteProcessMemory	process_identifier: 3112 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷oz^à¬ÎË à@ @xËSà H.textÔ« ¬ `.relocà®@B process_handle: 0x00000000000001e4 base_address: 0x0000000000400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1824 called NtSetContextThread to modify thread in remote process 2056
Process injection	Process 3112 called NtSetContextThread to modify thread in remote process 2152
1619362226.998 NtSetContextThread	thread_handle: 0x00000200 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4248286 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2056	success	0	0
1619362267.170625 NtSetContextThread	thread_handle: 0x00000204 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4248286 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2152	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1948 resumed a thread in remote process 1824
Process injection	Process 1824 resumed a thread in remote process 2056
Process injection	Process 3076 resumed a thread in remote process 3112
Process injection	Process 3112 resumed a thread in remote process 2152
1619340045.066021 NtResumeThread	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 1824	success	0	0
1619362227.092 NtResumeThread	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2056	success	0	0
1619362266.920625 NtResumeThread	thread_handle: 0x00000000000001e0 suspend_count: 1 process_identifier: 3112	success	0	0
1619362267.201625 NtResumeThread	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2152	success	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 63 个事件)

Time & API	Arguments	Status	Return
1619340033.800021 NtResumeThread	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 1948	success	0
1619340034.081021 NtResumeThread	thread_handle: 0x0000000000000144 suspend_count: 1 process_identifier: 1948	success	0
1619340044.988021 CreateProcessInternalW	thread_identifier: 1272 thread_handle: 0x00000000000001e8 process_identifier: 1824 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000000000001ec inherit_handles: 0	success	1
1619340044.988021 NtAllocateVirtualMemory	process_identifier: 1824 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000000000001ec allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x0000000000400000	success	0
1619340044.988021 WriteProcessMemory	process_identifier: 1824 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷oz^à¬ÎË à@ @xËSà H.textÔ« ¬ `.relocà®@B process_handle: 0x00000000000001ec base_address: 0x0000000000400000	success	1
1619340044.988021 WriteProcessMemory	process_identifier: 1824 buffer: process_handle: 0x00000000000001ec base_address: 0x0000000000402000	success	1
1619340045.003021 WriteProcessMemory	process_identifier: 1824 buffer: ÀÐ; process_handle: 0x00000000000001ec base_address: 0x000000000041e000	success	1
1619340045.003021 WriteProcessMemory	process_identifier: 1824 buffer: @ process_handle: 0x00000000000001ec base_address: 0x000000007efde008	success	1
1619340045.066021 NtResumeThread	thread_handle: 0x00000000000001e8 suspend_count: 1 process_identifier: 1824	success	0
1619362217.076 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1824	success	0
1619362217.154 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1824	success	0
1619362226.951 CreateProcessInternalW	thread_identifier: 732 thread_handle: 0x00000200 process_identifier: 2056 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000204 inherit_handles: 0	success	1
1619362226.983 NtGetContextThread	thread_handle: 0x00000200	success	0
1619362226.983 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000204 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619362226.983 WriteProcessMemory	process_identifier: 2056 buffer: process_handle: 0x00000204 base_address: 0x00400000	success	1
1619362226.998 WriteProcessMemory	process_identifier: 2056 buffer: process_handle: 0x00000204 base_address: 0x00402000	success	1
1619362226.998 WriteProcessMemory	process_identifier: 2056 buffer: process_handle: 0x00000204 base_address: 0x0040e000	success	1
1619362226.998 WriteProcessMemory	process_identifier: 2056 buffer: process_handle: 0x00000204 base_address: 0x00412000	success	1
1619362226.998 WriteProcessMemory	process_identifier: 2056 buffer: @ process_handle: 0x00000204 base_address: 0x7efde008	success	1
1619362226.998 NtSetContextThread	thread_handle: 0x00000200 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4248286 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2056	success	0
1619362227.092 NtResumeThread	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2056	success	0
1619362229.295 NtResumeThread	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 1824	success	0
1619362229.311 NtResumeThread	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 1824	success	0
1619362229.326 NtResumeThread	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 1824	success	0
1619362229.326 NtResumeThread	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 1824	success	0
1619362255.639 CreateProcessInternalW	thread_identifier: 3532 thread_handle: 0x0000032c process_identifier: 3528 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\imb4a7jc.cmdline" filepath_r: stack_pivoted: 0 creation_flags: 0 () process_handle: 0x00000330 inherit_handles: 1	success	1
1619362258.811 CreateProcessInternalW	thread_identifier: 3752 thread_handle: 0x00000344 process_identifier: 3748 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9eky7nqc.cmdline" filepath_r: stack_pivoted: 0 creation_flags: 0 () process_handle: 0x00000348 inherit_handles: 1	success	1
1619362263.186 CreateProcessInternalW	thread_identifier: 3936 thread_handle: 0x0000034c process_identifier: 3932 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\viavarah.cmdline" filepath_r: stack_pivoted: 0 creation_flags: 0 () process_handle: 0x00000354 inherit_handles: 1	success	1
1619362264.779 NtResumeThread	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 1824	success	0
1619362265.436 CreateProcessInternalW	thread_identifier: 3080 thread_handle: 0x0000046c process_identifier: 3076 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\svchost.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000004c8 inherit_handles: 0	success	1
1619362265.498 CreateProcessInternalW	thread_identifier: 2128 thread_handle: 0x0000045c process_identifier: 364 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\qay-ndwf.cmdline" filepath_r: stack_pivoted: 0 creation_flags: 0 () process_handle: 0x00000464 inherit_handles: 1	success	1
1619362227.56125 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2056	success	0
1619362227.56125 NtResumeThread	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 2056	success	0
1619362256.561375 CreateProcessInternalW	thread_identifier: 3616 thread_handle: 0x000000e4 process_identifier: 3612 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RES52AB.tmp" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\vbc529A.tmp" filepath_r: stack_pivoted: 0 creation_flags: 0 () process_handle: 0x000000e8 inherit_handles: 1	success	1
1619362259.092625 CreateProcessInternalW	thread_identifier: 3812 thread_handle: 0x000000e4 process_identifier: 3808 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RES5CDC.tmp" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\vbc5CDB.tmp" filepath_r: stack_pivoted: 0 creation_flags: 0 () process_handle: 0x000000e8 inherit_handles: 1	success	1
1619362263.70125 CreateProcessInternalW	thread_identifier: 3996 thread_handle: 0x000000e4 process_identifier: 3992 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RES6EDE.tmp" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\vbc6EBD.tmp" filepath_r: stack_pivoted: 0 creation_flags: 0 () process_handle: 0x000000e8 inherit_handles: 1	success	1
1619362265.889625 NtResumeThread	thread_handle: 0x00000000000000b4 suspend_count: 1 process_identifier: 3076	success	0
1619362266.029625 NtResumeThread	thread_handle: 0x0000000000000144 suspend_count: 1 process_identifier: 3076	success	0
1619362266.842625 CreateProcessInternalW	thread_identifier: 708 thread_handle: 0x00000000000001e0 process_identifier: 3112 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000000000001e4 inherit_handles: 0	success	1
1619362266.842625 NtAllocateVirtualMemory	process_identifier: 3112 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000000000001e4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x0000000000400000	success	0
1619362266.858625 WriteProcessMemory	process_identifier: 3112 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL÷oz^à¬ÎË à@ @xËSà H.textÔ« ¬ `.relocà®@B process_handle: 0x00000000000001e4 base_address: 0x0000000000400000	success	1
1619362266.858625 WriteProcessMemory	process_identifier: 3112 buffer: process_handle: 0x00000000000001e4 base_address: 0x0000000000402000	success	1
1619362266.858625 WriteProcessMemory	process_identifier: 3112 buffer: ÀÐ; process_handle: 0x00000000000001e4 base_address: 0x000000000041e000	success	1
1619362266.858625 WriteProcessMemory	process_identifier: 3112 buffer: @ process_handle: 0x00000000000001e4 base_address: 0x000000007efde008	success	1
1619362266.920625 NtResumeThread	thread_handle: 0x00000000000001e0 suspend_count: 1 process_identifier: 3112	success	0
1619362267.076625 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 3112	success	0
1619362267.092625 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 3112	success	0
1619362267.170625 CreateProcessInternalW	thread_identifier: 3276 thread_handle: 0x00000204 process_identifier: 2152 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000208 inherit_handles: 0	success	1
1619362267.170625 NtGetContextThread	thread_handle: 0x00000204	success	0
1619362267.170625 NtAllocateVirtualMemory	process_identifier: 2152 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000208 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILPerseus.64509
FireEye	Generic.mg.2f70e8a5b8655e09
CAT-QuickHeal	Trojan.RratFC.S17035669
McAfee	GenericRXHS-HG!2F70E8A5B865
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 700000121 )
Alibaba	Backdoor:MSIL/RevengeRat.d6038af4
K7GW	Trojan ( 700000121 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.MSILPerseus.DFBFD
Cyren	W32/Revetrat.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Trojan.RevengeRat-6344273-0
Kaspersky	HEUR:Backdoor.MSIL.Revenge.gen
BitDefender	Gen:Variant.MSILPerseus.64509
NANO-Antivirus	Trojan.Win32.Revenge.hgyfjb
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Revenge.m!c
Tencent	Msil.Backdoor.Revenge.Hufw
Ad-Aware	Gen:Variant.MSILPerseus.64509
Emsisoft	Gen:Variant.MSILPerseus.64509 (B)
Comodo	Malware@#2mb73a5s0bmhz
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	BackDoor.RevetratNET.1
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	BKDR_REVET.SM
McAfee-GW-Edition	BehavesLike.Win32.Generic.cm
Sophos	Mal/Generic-R + Mal/Revet-A
Ikarus	Backdoor-Rat.Revenge
Jiangmin	Backdoor.MSIL.cssz
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan[Backdoor]/MSIL.Revenge
Microsoft	Backdoor:MSIL/RevengeRat.GA!MTB
ZoneAlarm	HEUR:Backdoor.MSIL.Revenge.gen
GData	Gen:Variant.MSILPerseus.64509
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Generic.C3448952
BitDefenderTheta	Gen:NN.ZemsilF.34700.giW@au3s6!
ALYac	Trojan.MSIL.Revetrat
MAX	malware (ai score=89)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Backdoor.RevengeRAT
ESET-NOD32	a variant of MSIL/Agent.APN
TrendMicro-HouseCall	BKDR_REVET.SM
Rising	Backdoor.Revetrat!1.B8DA (CLASSIC)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	192.168.0.30:8800

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-25 04:39:19

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.24.14 CNAME clients.l.google.com	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.