10.8
0-day
53 个模型检测该样本为恶意!
重新分析
更多

1cc4b7a9c9d0d8de1ab96f11189104912af60a594c7e4a0c70d7cc236fdbb6ec

31c594daa24b28d6d6102ed84aafb204.exe

分析耗时

86s

最近分析

文件大小

275.0KB
静态报毒 动态报毒 100% AGEN AI SCORE=87 ATTRIBUTE BTVF7P CONFIDENCE DOTHETUK ECAUCE EKOW ELDORADO GDSDA GENERICRXKU GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE IGENT KRYPTIK LJUB LOYEETRO MALICIOUS PE MALWARE@#1FNGH1DT7F65J R06EC0PIA20 RATX RAZY REMCOS RM0@A475CQJ SCORE STATIC AI SUSGEN UNSAFE WOREFLINT ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKU-JP!31C594DAA24B 20201216 6.0.6.653
Alibaba Trojan:MSIL/Kryptik.eeccb366 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Tencent Msil.Trojan.Dothetuk.Ljub 20201216 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20201216 2017.9.26.565
Avast Win32:RATX-gen [Trj] 20201216 21.1.5827.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619370008.353626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (3 个事件)
Time & API Arguments Status Return Repeated
1619345036.515212
IsDebuggerPresent
failed 0 0
1619345036.515212
IsDebuggerPresent
failed 0 0
1619370011.978499
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619370009.009626
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\IwuRFhhU"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619345036.530212
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 53 个事件)
Time & API Arguments Status Return Repeated
1619345035.640212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00850000
success 0 0
1619345035.640212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00960000
success 0 0
1619345035.984212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x002d0000
success 0 0
1619345035.984212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002e0000
success 0 0
1619345036.296212
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619345036.515212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00560000
success 0 0
1619345036.515212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b0000
success 0 0
1619345036.515212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002da000
success 0 0
1619345036.515212
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619345036.515212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002d2000
success 0 0
1619345036.702212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619345036.780212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00445000
success 0 0
1619345036.780212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044b000
success 0 0
1619345036.780212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1619345036.859212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00423000
success 0 0
1619345036.890212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042c000
success 0 0
1619345037.218212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00424000
success 0 0
1619345037.218212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00426000
success 0 0
1619345037.312212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00427000
success 0 0
1619345037.327212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a0000
success 0 0
1619345037.452212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00428000
success 0 0
1619345094.202212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00429000
success 0 0
1619345094.234212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00436000
success 0 0
1619345094.249212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043a000
success 0 0
1619345094.249212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00437000
success 0 0
1619345094.593212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a1000
success 0 0
1619345094.593212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a80000
success 0 0
1619345094.671212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a81000
success 0 0
1619345094.734212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a2000
success 0 0
1619345094.765212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a82000
success 0 0
1619345094.780212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a3000
success 0 0
1619345094.812212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a5000
success 0 0
1619345094.827212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a83000
success 0 0
1619345094.843212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b1000
success 0 0
1619345094.859212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b2000
success 0 0
1619345094.859212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b3000
success 0 0
1619345094.859212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b4000
success 0 0
1619345094.874212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b5000
success 0 0
1619345094.890212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042d000
success 0 0
1619345094.921212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a6000
success 0 0
1619345094.937212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b6000
success 0 0
1619345094.937212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ba000
success 0 0
1619345094.937212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cb000
success 0 0
1619345094.937212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cc000
success 0 0
1619345094.937212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cd000
success 0 0
1619345094.968212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619345095.109212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a8000
success 0 0
1619345095.140212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04a84000
success 0 0
1619345095.171212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a9000
success 0 0
1619345095.202212
NtAllocateVirtualMemory
process_identifier: 648
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002e1000
success 0 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\IwuRFhhU" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3C82.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwuRFhhU" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3C82.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619345096.343212
ShellExecuteExW
parameters: /Create /TN "Updates\IwuRFhhU" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3C82.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.505617047178693 section {'size_of_data': '0x00041e00', 'virtual_address': '0x00002000', 'entropy': 7.505617047178693, 'name': '.text', 'virtual_size': '0x00041ce4'} description A section with a high entropy has been found
entropy 7.611301121863382 section {'size_of_data': '0x00002a00', 'virtual_address': '0x00044000', 'entropy': 7.611301121863382, 'name': '.rsrc', 'virtual_size': '0x0000293c'} description A section with a high entropy has been found
entropy 0.9981785063752276 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619345099.859212
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\IwuRFhhU" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3C82.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwuRFhhU" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3C82.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 5.9.84.209
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619345099.499212
NtAllocateVirtualMemory
process_identifier: 176
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000378
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (5 个事件)
Time & API Arguments Status Return Repeated
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELYI ^à  xh-$ @0ŸË ð;è Ð œÔ.text  P`.data\M N@`À.eh_framØp\@0@.bss„f€€`À.edata;ðb@0@.idataèd@0À.relocÐ x@0B
process_handle: 0x00000378
base_address: 0x00400000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: zR| ˆ(Œÿÿ9A†A ƒC q AÃAÆHŒÿÿ,C h`,Œÿÿ,C hxDŒÿÿFC0B|ŒÿÿFC0B¨´Œÿÿ>C0zzR| ˆ ČÿÿaAƒC0| AÃA @ÿÿaAƒC0| AÃA d\ÿÿaAƒC0| AÃA ˆ¨ÿÿICZ E S E JzR| ˆ|¦ÿÿzR| ˆÿÿ+C gzR| ˆ ÿÿKD†A ƒ}ÃEÆ0@¼ÿÿœA‡A †CƒH ‹Aà AÆAÇ,t(Žÿÿ\A†A ƒN ÃAÆA HÃAÆT¤XŽÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üŽÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8ôŽÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x4ÿÿþA‡A †AƒC Ø Aà AÆAÇA °üÿÿ‚AƒC x AÃA 4Ôh‘ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 À‘ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4D’ÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<h’ÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<ð”ÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\p–ÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<Ÿÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<  ÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
process_handle: 0x00000378
base_address: 0x00427000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: YI ^(ð(ð(ð(ð
process_handle: 0x00000378
base_address: 0x0042f000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: X 00 0+010;0E0¦0Ä0Ë0å0*1Ý1ñ1 2%313|34[4S5.68™8¬9´94:Ý:û<==¶=À=Ë=‡>Ç>û>?? Œ¨1õ34¤5P6\6l6|6œ6º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;„<“<¢<¹<Ë<r=~=’=©=»=í=ø=>(>Ò>Ú>á>è>ú>? ??(?0?7?>?P?[?b?i??‡?Ž?•?§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1€1˜1Ÿ1³1º1Ë1Ú1ä1ò122+252K2R2d2n2}2„2œ2©2³2Â2Ì2Ú2÷23#353u3‡33¯3í34424m4w4Ž4¤4µ5¼5Ð5Ú5í5ô5 6646;6V6`6p6w66ˆ6±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n8€88¢8¸8Í8×:ç:;);0;™;º;ä;ø;<‡=¤=Å=Õ=ÿ=„>Ó?ô?@`0)0M0f0—0 11 1{1–11§1®1µ1½1Ä1Õ1Ý1ä1ø12 222&2-282A2H2U2\2i2r2y2†22˜2¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~4•4¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E7­7Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x99†99–99¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>|>‹>š>©>¸>Ç>Ö>ô>ù>??4?9?Y?f?‡?ª?¯?Px0†0£0µ0Ù0á0í0ô01 111-151=1D1d1–1¡1+8Ë8ˆ9ú9:::‚:¯:º:À:;';@;H;M;Z;É;ì;÷;t<<•<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`, 2•2Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;­;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g7„7œ7Ã7ž8ù8(<J<˜>€À§0²1Ç1Ú1ä12h2Ï2î2L3£3*464U4a4’4é4M5Š566*616?6¨6®6ï6õ6 777*7q7®72888N8U8f8Ò8Ø89959<9¦9Â9á9:M:i:Ú:Y;f;;š;¿;×;ß;"<@<\<q<™<´<Ì<ä<ü<=,=D=\=t=Œ=¤=¼=ñ=ü=>4>9>C>m>>À>Æ>Ñ>?›?¡?Á?Ô?¸0'0[0c0x0ž0¦0Ë0û01'1/112É2â23$3D3[3˜3¥3Ë3ç3û34#4+4W4_4À4a5Š5!6Ì6ç6E7ó7€8¨8Ã8Ë8Ú8ß8ö8 99.999C9M9[9a9u9™9÷9ÿ9<:µ:ç:ò:;…;l<™<Í<ò<==!=*=3=<=E=N=W=`=i=r={=„=c>m>å>C?~?î?û? \ 0<0{0Ê011!1;1C1S1_1y1®1Î1ƒ2Ï2×2y3ê3@4H4˜4 45£5»5ò5ú5 6?6†6ª6ä6ë677@7¥7Ä7Þ7þ7{8°tç2-3P3Ö34?4ß45K5s5&6>6^6}6å6ú6777L7Þ788³8Æ89909S9f9¯9»9Ð9ó9:O:[:…:·:ê:;0;[;†;±;Ü;<2<[<‚<«<Ö<-=B=Ð?Àpr0<1s1à12~3L4X4Š4–4½4055“5Á56>6Œ6´6Å68y8¸8ì89\9Œ9¿9ü9,:_:œ:Ì:ÿ:<;p;£;#<5=’=Ñ=>8>u>¥>Ø>?E?x?µ?å?ÐH0U0‰0¼0<1v2k3·3 4Y4v5­5;6i6–6747'8ò9•:5=Ý=(>@>q>°>Ü>&?O?‹?¯?ã?à,0 0:0Z0t0’0o3§5q6y6†6*9³:Ç:Û:>â>ðd)1”1´1Ã2×2ë2¾4Ê4(5<5W5d5¿5Ë5)6=6X6e6À6Ì6*7>7Y7f7Á7Í7+8?8Z8g8Æ8Ó8"969Q9^9½9Ê9:-:H:U:°:¼:D;D»1Ç1ç1ó1k2Ð2934‘44¢4§4¬4±4¸4É4æ4ó45551565M57;=@>¾>M?Ì?00Ø012‘3à3u46d6x6Ÿ6«6q7È8;9E9Z9ô9“?  40Tj3þ3 4ø4Ì5Ø5}7Ø7ä7[8p8“8½8×8å8ÿ8 9|:À:;;O;“;›;Ä;<”<¸<Ù<ï<=Q=Ô=ì=k>º>i?@ 0®1#2|2É2*34É4ó4¼699˜9P8u7È7U8\8¥8¬8î8w::¤:Ï:Ö:;";{;‚;’;™;<|<ƒ<¾=Å=`/060.3;3H3å3ì3p ¢4³4Ä4{5ˆ5T6]6h7±>/?:?`?€002Þ2.9>9n;u;Æ:Í:ù:;/;³;º; 8 00ö2ý2e3k3x3"444O4:5M5Z5¦5­5 8§8œ;<e<E=R=Š?’?° ø0­1À$?6c6 8P8­8™9¦9³9–:¢:Õ:P>W>Ð0k4G5N5Q7â;é;àž1š2ð2!4@49:@:;e<c>ðˆZ0¨3¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~7†7Ž7–7ž7¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~8†8Ž8–8ž8¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9~9†9Ž9–9ž9¦9®9¶9¾9Æ9Î9Ö9Þ9æ9î9ö9þ9::::&:.:6:>:F:N:V:^:f:n:v:~:†:Ž:–:ž:¦:®:¶:¾:Æ:Î:Ö:Þ:æ:î:ö:þ:;;;;&;.;6;>;F;N;V;^;f;n;v;~;†;Ž;–;ž;¦;®;¶;¾;Æ;Î;Ö;Þ;æ;î;ö;þ;<<J<Ï<=o=¹=î=õ=û=)>^>e>k>™>Î>Õ>Û>?Hº4Á4Ç4ß4æ4ì475w5~5„5Ú5666¦6­6³6ì7ó7ù7{9‚9ˆ9å:ì:ò:B;I;O;%?,?2?4¦1­1³1Ï4ë4õ455`5n5{5‚5ª5±5·5Á7È7Î7æ7í7ó7 4`9d9h9l9p9t9x9|9€9„9ˆ9Œ99”9˜9œ9 9¤9¨9¬9°9´9¸9¼9À9Ä9È9Ì9Ð9Ô9Ø9Ü9à9ä9è9ì9ð9ô9ø9ü9::: : :$:(:,:0:4:8:<:@:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;€;„;ˆ;Œ;;”;˜;œ; ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<@=D=H=L=P=T=X=\=`=d=h=l=p=0 h>l>p>t>x>|>€>„>ˆ>Œ>>@¬è4ì4ð4ô4ø4ü4555 555P5T5X5\5`5d5H8L8P8T8X8\8`8d8h8l8p8t8x8|8€8„8ˆ8Œ88”8˜8œ8 8¤8¨8¬8°8´8¸8¼8À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü8999 99999$>,>4><>D>L>T>\>d>l>
process_handle: 0x00000378
base_address: 0x00432000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: @
process_handle: 0x00000378
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELYI ^à  xh-$ @0ŸË ð;è Ð œÔ.text  P`.data\M N@`À.eh_framØp\@0@.bss„f€€`À.edata;ðb@0@.idataèd@0À.relocÐ x@0B
process_handle: 0x00000378
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 648 called NtSetContextThread to modify thread in remote process 176
Time & API Arguments Status Return Repeated
1619345099.499212
NtSetContextThread
thread_handle: 0x00000324
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 176
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 648 resumed a thread in remote process 176
Time & API Arguments Status Return Repeated
1619345099.843212
NtResumeThread
thread_handle: 0x00000324
suspend_count: 1
process_identifier: 176
success 0 0
Executed a process and injected code into it, probably while unpacking (18 个事件)
Time & API Arguments Status Return Repeated
1619345036.515212
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 648
success 0 0
1619345036.515212
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 648
success 0 0
1619345036.546212
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 648
success 0 0
1619345096.343212
CreateProcessInternalW
thread_identifier: 2968
thread_handle: 0x00000330
process_identifier: 2964
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwuRFhhU" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3C82.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000368
inherit_handles: 0
success 1 0
1619345099.499212
CreateProcessInternalW
thread_identifier: 1464
thread_handle: 0x00000324
process_identifier: 176
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x00000378
inherit_handles: 0
success 1 0
1619345099.499212
NtGetContextThread
thread_handle: 0x00000324
success 0 0
1619345099.499212
NtAllocateVirtualMemory
process_identifier: 176
region_size: 208896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000378
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELYI ^à  xh-$ @0ŸË ð;è Ð œÔ.text  P`.data\M N@`À.eh_framØp\@0@.bss„f€€`À.edata;ðb@0@.idataèd@0À.relocÐ x@0B
process_handle: 0x00000378
base_address: 0x00400000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer:
process_handle: 0x00000378
base_address: 0x00401000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer:
process_handle: 0x00000378
base_address: 0x00422000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: zR| ˆ(Œÿÿ9A†A ƒC q AÃAÆHŒÿÿ,C h`,Œÿÿ,C hxDŒÿÿFC0B|ŒÿÿFC0B¨´Œÿÿ>C0zzR| ˆ ČÿÿaAƒC0| AÃA @ÿÿaAƒC0| AÃA d\ÿÿaAƒC0| AÃA ˆ¨ÿÿICZ E S E JzR| ˆ|¦ÿÿzR| ˆÿÿ+C gzR| ˆ ÿÿKD†A ƒ}ÃEÆ0@¼ÿÿœA‡A †CƒH ‹Aà AÆAÇ,t(Žÿÿ\A†A ƒN ÃAÆA HÃAÆT¤XŽÿÿ…A…A ‡A†CƒE@M AÃAÆ AÇAÅA W EÃAÆ AÇAÅE 8üŽÿÿœA…A ‡C†CƒCPŒAÃAÆ AÇAÅ<8ôŽÿÿyA…A ‡F†AƒC@hAÃAÆ AÇAÅ4x4ÿÿþA‡A †AƒC Ø Aà AÆAÇA °üÿÿ‚AƒC x AÃA 4Ôh‘ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4 À‘ÿÿŠA‡A †AƒC0a Aà AÆAÇA 4D’ÿÿœA‡A †AƒC0p Aà AÆAÇA zR| ˆ<h’ÿÿÑA…A ‡A†AƒC`0 CÃAÆ AÇAÅA zR| ˆ<ð”ÿÿ¸A…C ‡A†AƒC@ˆ AÃAÆ AÇAÅA <\p–ÿÿqA…A ‡A†AƒCpt AÃAÆ AÇAÅA zR| ˆ<Ÿÿÿ`A…A ‡A†AƒC@2 AÃAÆ AÇAÅA zR| ˆ<  ÿÿ?A…B F‡†ƒÚ ÃAÆAÇAÅ A µ ÃAÆAÇAÅ A
process_handle: 0x00000378
base_address: 0x00427000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: YI ^(ð(ð(ð(ð
process_handle: 0x00000378
base_address: 0x0042f000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer:
process_handle: 0x00000378
base_address: 0x00430000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: X 00 0+010;0E0¦0Ä0Ë0å0*1Ý1ñ1 2%313|34[4S5.68™8¬9´94:Ý:û<==¶=À=Ë=‡>Ç>û>?? Œ¨1õ34¤5P6\6l6|6œ6º6Þ6ç708x8ª8Ñ9$:´;Ã;Ò;ã;÷;„<“<¢<¹<Ë<r=~=’=©=»=í=ø=>(>Ò>Ú>á>è>ú>? ??(?0?7?>?P?[?b?i??‡?Ž?•?§?²?¹?À?Ö?Þ?å?ì?þ?0ô 0001%1;1E1[1b1v1€1˜1Ÿ1³1º1Ë1Ú1ä1ò122+252K2R2d2n2}2„2œ2©2³2Â2Ì2Ú2÷23#353u3‡33¯3í34424m4w4Ž4¤4µ5¼5Ð5Ú5í5ô5 6646;6V6`6p6w66ˆ6±6¸6É6Ó6ê6ñ6777%7?7I7P7[7k7y7¡7¨7Ã7×7ð7ú78,8D8R8n8€88¢8¸8Í8×:ç:;);0;™;º;ä;ø;<‡=¤=Å=Õ=ÿ=„>Ó?ô?@`0)0M0f0—0 11 1{1–11§1®1µ1½1Ä1Õ1Ý1ä1ø12 222&2-282A2H2U2\2i2r2y2†22˜2¡2¨2µ2¼2â2ë2ó2ù23 30373¹3Á3È3Õ3Ý3ä3ñ3ù34 44444A4M4d4q4~4•4¡4®4Ä4Ý4ô4û45!565á5666¾6ç6ï6ù6E7­7Î7Ö7â7ê788+8Q8¦8Â8ý89W9^9e9q9x99†99–99¤9±9Ù9ø9::7:J:P:f:r:w:}:; ;\;d;~;¢;©;²;Æ;><K<R<W<c<j<q<%=4=C=¹=Ù=è=÷=>> >1>@>O>^>m>|>‹>š>©>¸>Ç>Ö>ô>ù>??4?9?Y?f?‡?ª?¯?Px0†0£0µ0Ù0á0í0ô01 111-151=1D1d1–1¡1+8Ë8ˆ9ú9:::‚:¯:º:À:;';@;H;M;Z;É;ì;÷;t<<•<©=Ú=â=ì=ÿ=> >><>C>_>y>È>`, 2•2Ã3Ê3ô355Ç5v6k8¤8Á8Ù8`9¥9c:G;b;­;p0d0«0Ã0ã0 1P1ò1M3¦3&6.7g7„7œ7Ã7ž8ù8(<J<˜>€À§0²1Ç1Ú1ä12h2Ï2î2L3£3*464U4a4’4é4M5Š566*616?6¨6®6ï6õ6 777*7q7®72888N8U8f8Ò8Ø89959<9¦9Â9á9:M:i:Ú:Y;f;;š;¿;×;ß;"<@<\<q<™<´<Ì<ä<ü<=,=D=\=t=Œ=¤=¼=ñ=ü=>4>9>C>m>>À>Æ>Ñ>?›?¡?Á?Ô?¸0'0[0c0x0ž0¦0Ë0û01'1/112É2â23$3D3[3˜3¥3Ë3ç3û34#4+4W4_4À4a5Š5!6Ì6ç6E7ó7€8¨8Ã8Ë8Ú8ß8ö8 99.999C9M9[9a9u9™9÷9ÿ9<:µ:ç:ò:;…;l<™<Í<ò<==!=*=3=<=E=N=W=`=i=r={=„=c>m>å>C?~?î?û? \ 0<0{0Ê011!1;1C1S1_1y1®1Î1ƒ2Ï2×2y3ê3@4H4˜4 45£5»5ò5ú5 6?6†6ª6ä6ë677@7¥7Ä7Þ7þ7{8°tç2-3P3Ö34?4ß45K5s5&6>6^6}6å6ú6777L7Þ788³8Æ89909S9f9¯9»9Ð9ó9:O:[:…:·:ê:;0;[;†;±;Ü;<2<[<‚<«<Ö<-=B=Ð?Àpr0<1s1à12~3L4X4Š4–4½4055“5Á56>6Œ6´6Å68y8¸8ì89\9Œ9¿9ü9,:_:œ:Ì:ÿ:<;p;£;#<5=’=Ñ=>8>u>¥>Ø>?E?x?µ?å?ÐH0U0‰0¼0<1v2k3·3 4Y4v5­5;6i6–6747'8ò9•:5=Ý=(>@>q>°>Ü>&?O?‹?¯?ã?à,0 0:0Z0t0’0o3§5q6y6†6*9³:Ç:Û:>â>ðd)1”1´1Ã2×2ë2¾4Ê4(5<5W5d5¿5Ë5)6=6X6e6À6Ì6*7>7Y7f7Á7Í7+8?8Z8g8Æ8Ó8"969Q9^9½9Ê9:-:H:U:°:¼:D;D»1Ç1ç1ó1k2Ð2934‘44¢4§4¬4±4¸4É4æ4ó45551565M57;=@>¾>M?Ì?00Ø012‘3à3u46d6x6Ÿ6«6q7È8;9E9Z9ô9“?  40Tj3þ3 4ø4Ì5Ø5}7Ø7ä7[8p8“8½8×8å8ÿ8 9|:À:;;O;“;›;Ä;<”<¸<Ù<ï<=Q=Ô=ì=k>º>i?@ 0®1#2|2É2*34É4ó4¼699˜9P8u7È7U8\8¥8¬8î8w::¤:Ï:Ö:;";{;‚;’;™;<|<ƒ<¾=Å=`/060.3;3H3å3ì3p ¢4³4Ä4{5ˆ5T6]6h7±>/?:?`?€002Þ2.9>9n;u;Æ:Í:ù:;/;³;º; 8 00ö2ý2e3k3x3"444O4:5M5Z5¦5­5 8§8œ;<e<E=R=Š?’?° ø0­1À$?6c6 8P8­8™9¦9³9–:¢:Õ:P>W>Ð0k4G5N5Q7â;é;àž1š2ð2!4@49:@:;e<c>ðˆZ0¨3¶6¾6Æ6Î6Ö6Þ6æ6î6ö6þ67777&7.767>7F7N7V7^7f7n7v7~7†7Ž7–7ž7¦7®7¶7¾7Æ7Î7Ö7Þ7æ7î7ö7þ78888&8.868>8F8N8V8^8f8n8v8~8†8Ž8–8ž8¦8®8¶8¾8Æ8Î8Ö8Þ8æ8î8ö8þ89999&9.969>9F9N9V9^9f9n9v9~9†9Ž9–9ž9¦9®9¶9¾9Æ9Î9Ö9Þ9æ9î9ö9þ9::::&:.:6:>:F:N:V:^:f:n:v:~:†:Ž:–:ž:¦:®:¶:¾:Æ:Î:Ö:Þ:æ:î:ö:þ:;;;;&;.;6;>;F;N;V;^;f;n;v;~;†;Ž;–;ž;¦;®;¶;¾;Æ;Î;Ö;Þ;æ;î;ö;þ;<<J<Ï<=o=¹=î=õ=û=)>^>e>k>™>Î>Õ>Û>?Hº4Á4Ç4ß4æ4ì475w5~5„5Ú5666¦6­6³6ì7ó7ù7{9‚9ˆ9å:ì:ò:B;I;O;%?,?2?4¦1­1³1Ï4ë4õ455`5n5{5‚5ª5±5·5Á7È7Î7æ7í7ó7 4`9d9h9l9p9t9x9|9€9„9ˆ9Œ99”9˜9œ9 9¤9¨9¬9°9´9¸9¼9À9Ä9È9Ì9Ð9Ô9Ø9Ü9à9ä9è9ì9ð9ô9ø9ü9::: : :$:(:,:0:4:8:<:@:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;;; ;;;;; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;€;„;ˆ;Œ;;”;˜;œ; ;¤;¨;¬;°;´;¸;¼;À;Ä;È;Ì;Ð;Ô;Ø;Ü;à;ä;è;ì;ð;ô;ø;ü;<<@=D=H=L=P=T=X=\=`=d=h=l=p=0 h>l>p>t>x>|>€>„>ˆ>Œ>>@¬è4ì4ð4ô4ø4ü4555 555P5T5X5\5`5d5H8L8P8T8X8\8`8d8h8l8p8t8x8|8€8„8ˆ8Œ88”8˜8œ8 8¤8¨8¬8°8´8¸8¼8À8Ä8È8Ì8Ð8Ô8Ø8Ü8à8ä8è8ì8ð8ô8ø8ü8999 99999$>,>4><>D>L>T>\>d>l>
process_handle: 0x00000378
base_address: 0x00432000
success 1 0
1619345099.499212
WriteProcessMemory
process_identifier: 176
buffer: @
process_handle: 0x00000378
base_address: 0x7efde008
success 1 0
1619345099.499212
NtSetContextThread
thread_handle: 0x00000324
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4203565
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 176
success 0 0
1619345099.843212
NtResumeThread
thread_handle: 0x00000324
suspend_count: 1
process_identifier: 176
success 0 0
1619345099.843212
NtResumeThread
thread_handle: 0x0000038c
suspend_count: 1
process_identifier: 648
success 0 0
File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.674520
McAfee GenericRXKU-JP!31C594DAA24B
Malwarebytes Backdoor.Remcos
Zillya Trojan.Kryptik.Win32.2039909
Sangfor Malware
K7AntiVirus Trojan ( 005679ce1 )
Alibaba Trojan:MSIL/Kryptik.eeccb366
K7GW Trojan ( 005679ce1 )
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZemsilF.34700.rm0@a475cqj
Cyren W32/Woreflint.B.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.WCE
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.MSIL.DOTHETUK.gen
BitDefender Gen:Variant.Razy.674520
NANO-Antivirus Trojan.Win32.Drop.ecauce
Tencent Msil.Trojan.Dothetuk.Ljub
Ad-Aware Gen:Variant.Razy.674520
Emsisoft Gen:Variant.Razy.674520 (B)
Comodo Malware@#1fngh1dt7f65j
F-Secure Heuristic.HEUR/AGEN.1137524
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0PIA20
McAfee-GW-Edition GenericRXKU-JP!31C594DAA24B
FireEye Generic.mg.31c594daa24b28d6
Sophos Mal/Generic-S
Ikarus Trojan-Spy.Remcos
GData Gen:Variant.Razy.674520
eGambit Unsafe.AI_Score_98%
Avira HEUR/AGEN.1137524
Antiy-AVL Trojan/MSIL.DOTHETUK
Arcabit Trojan.Razy.DA4AD8
AegisLab Trojan.MSIL.DOTHETUK.4!c
ZoneAlarm HEUR:Trojan.MSIL.DOTHETUK.gen
Microsoft TrojanSpy:Win32/Loyeetro.B!bit
Cynet Malicious (score: 85)
ALYac Gen:Variant.Razy.674520
MAX malware (ai score=87)
Cylance Unsafe
Panda Trj/GdSda.A
TrendMicro-HouseCall TROJ_GEN.R06EC0PIA20
Yandex Trojan.Igent.bTVf7P.34
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.73691240.susgen
Fortinet MSIL/GenKryptik.EKOW!tr
Webroot W32.Trojan.Gen
AVG Win32:RATX-gen [Trj]
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 5.9.84.209:1011
dead_host 192.168.56.101:49186
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-28 01:04:14

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.