13.0
0-day
51 个模型检测该样本为恶意!
重新分析
更多

57e4b777fe7668bb5da8bb8f0d50d2d1ea128c83c0461269c5254eecd0d22ae2

3aafc011ad15031cb3bc5240383f08d2.exe

分析耗时

76s

最近分析

文件大小

586.0KB
静态报毒 动态报毒 100% AGENSLA AI SCORE=84 ALI1000139 AUTO BABDJ BAOY BLADABINDI BTZKVT CONFIDENCE CRYPTINJECT EIOL ELDORADO FSEQ GDSDA GENERICKD GENKRYPTIK GOLROTED HAWKEY HIGH CONFIDENCE IGENT KRYPTIK MSILKRYPT NJRAT PACKEDNET R + TROJ R333080 RATX SCORE STARTER SUSGEN TSCOPE UNSAFE USWLM YAKBEEXMSIL 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/starter.ali1000139 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:RATX-gen [Trj] 20210122 21.1.5827.0
Kingsoft 20210123 2017.9.26.565
McAfee Trojan-FSEQ!3AAFC011AD15 20210123 6.0.6.653
Tencent Win32.Trojan.Inject.Auto 20210123 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (10 个事件)
Time & API Arguments Status Return Repeated
1619349564.000626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619349564.016626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619349564.047626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619349564.047626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619349567.594626
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619349567.594626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619349581.578375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619349585.438375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619349586.578375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619349588.266375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 91 个事件)
Time & API Arguments Status Return Repeated
1619345031.500886
IsDebuggerPresent
failed 0 0
1619345031.500886
IsDebuggerPresent
failed 0 0
1619345035.546886
IsDebuggerPresent
failed 0 0
1619345036.031886
IsDebuggerPresent
failed 0 0
1619345036.562886
IsDebuggerPresent
failed 0 0
1619345037.031886
IsDebuggerPresent
failed 0 0
1619345037.562886
IsDebuggerPresent
failed 0 0
1619345038.031886
IsDebuggerPresent
failed 0 0
1619345038.562886
IsDebuggerPresent
failed 0 0
1619345039.031886
IsDebuggerPresent
failed 0 0
1619345039.562886
IsDebuggerPresent
failed 0 0
1619345040.031886
IsDebuggerPresent
failed 0 0
1619345040.562886
IsDebuggerPresent
failed 0 0
1619345041.031886
IsDebuggerPresent
failed 0 0
1619345041.562886
IsDebuggerPresent
failed 0 0
1619345042.031886
IsDebuggerPresent
failed 0 0
1619345042.562886
IsDebuggerPresent
failed 0 0
1619345043.031886
IsDebuggerPresent
failed 0 0
1619345043.562886
IsDebuggerPresent
failed 0 0
1619345044.031886
IsDebuggerPresent
failed 0 0
1619345044.562886
IsDebuggerPresent
failed 0 0
1619345045.031886
IsDebuggerPresent
failed 0 0
1619345045.562886
IsDebuggerPresent
failed 0 0
1619345046.031886
IsDebuggerPresent
failed 0 0
1619345046.562886
IsDebuggerPresent
failed 0 0
1619345047.031886
IsDebuggerPresent
failed 0 0
1619345047.562886
IsDebuggerPresent
failed 0 0
1619345048.031886
IsDebuggerPresent
failed 0 0
1619345048.562886
IsDebuggerPresent
failed 0 0
1619345049.031886
IsDebuggerPresent
failed 0 0
1619345049.562886
IsDebuggerPresent
failed 0 0
1619345050.031886
IsDebuggerPresent
failed 0 0
1619345050.562886
IsDebuggerPresent
failed 0 0
1619345051.031886
IsDebuggerPresent
failed 0 0
1619345051.562886
IsDebuggerPresent
failed 0 0
1619345052.031886
IsDebuggerPresent
failed 0 0
1619345052.562886
IsDebuggerPresent
failed 0 0
1619345053.031886
IsDebuggerPresent
failed 0 0
1619345053.562886
IsDebuggerPresent
failed 0 0
1619345054.031886
IsDebuggerPresent
failed 0 0
1619345054.562886
IsDebuggerPresent
failed 0 0
1619345055.031886
IsDebuggerPresent
failed 0 0
1619345055.562886
IsDebuggerPresent
failed 0 0
1619345056.031886
IsDebuggerPresent
failed 0 0
1619345056.562886
IsDebuggerPresent
failed 0 0
1619345057.031886
IsDebuggerPresent
failed 0 0
1619345057.562886
IsDebuggerPresent
failed 0 0
1619345058.031886
IsDebuggerPresent
failed 0 0
1619345058.562886
IsDebuggerPresent
failed 0 0
1619345059.031886
IsDebuggerPresent
failed 0 0
Command line console output was observed (2 个事件)
Time & API Arguments Status Return Repeated
1619349582.141375
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\ppYmlOxksNObxX"。
console_handle: 0x00000007
success 1 0
1619349594.7035
WriteConsoleW
buffer: 操作成功完成。
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)
Time & API Arguments Status Return Repeated
1619349565.547626
CryptExportKey
crypto_handle: 0x00202390
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.313626
CryptExportKey
crypto_handle: 0x00202c10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.313626
CryptExportKey
crypto_handle: 0x00202c10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.313626
CryptExportKey
crypto_handle: 0x00202c10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.375626
CryptExportKey
crypto_handle: 0x00202c10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.375626
CryptExportKey
crypto_handle: 0x00202c10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.375626
CryptExportKey
crypto_handle: 0x00202c10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.391626
CryptExportKey
crypto_handle: 0x00202c10
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.438626
CryptExportKey
crypto_handle: 0x00202e50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.438626
CryptExportKey
crypto_handle: 0x00202e50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.469626
CryptExportKey
crypto_handle: 0x00202e50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.469626
CryptExportKey
crypto_handle: 0x00202e50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.469626
CryptExportKey
crypto_handle: 0x00202e50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.469626
CryptExportKey
crypto_handle: 0x00202e50
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.750626
CryptExportKey
crypto_handle: 0x00202990
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.766626
CryptExportKey
crypto_handle: 0x00202990
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.766626
CryptExportKey
crypto_handle: 0x00202990
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.766626
CryptExportKey
crypto_handle: 0x00202990
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.766626
CryptExportKey
crypto_handle: 0x00202990
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.766626
CryptExportKey
crypto_handle: 0x00202990
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349566.797626
CryptExportKey
crypto_handle: 0x00202990
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.266626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.266626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.266626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.266626
CryptExportKey
crypto_handle: 0x00202450
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.282626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.282626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.282626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.282626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.282626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.282626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.282626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.360626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.360626
CryptExportKey
crypto_handle: 0x00202ad0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.453626
CryptExportKey
crypto_handle: 0x00202610
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.453626
CryptExportKey
crypto_handle: 0x00202610
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.453626
CryptExportKey
crypto_handle: 0x00202610
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.453626
CryptExportKey
crypto_handle: 0x00202610
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.453626
CryptExportKey
crypto_handle: 0x00202610
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.453626
CryptExportKey
crypto_handle: 0x00202610
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.469626
CryptExportKey
crypto_handle: 0x00202610
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.532626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.532626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.672626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.672626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.688626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.688626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.703626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.703626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619349567.703626
CryptExportKey
crypto_handle: 0x002028d0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619345031.546886
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619349588.203375
__exception__
stacktrace: 
0xdbf5c5
0xdbeb52
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3797792
registers.edi: 1172579672
registers.eax: 0
registers.ebp: 3797836
registers.edx: 8
registers.ebx: 0
registers.esi: 40261108
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 2a bb 3e 4d e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb23206
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 293 个事件)
Time & API Arguments Status Return Repeated
1619345030.828886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x004d0000
success 0 0
1619345030.828886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00570000
success 0 0
1619345031.171886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02300000
success 0 0
1619345031.171886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x024b0000
success 0 0
1619345031.359886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619345031.500886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00ae0000
success 0 0
1619345031.500886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c60000
success 0 0
1619345031.500886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ea000
success 0 0
1619345031.500886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619345031.500886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002e2000
success 0 0
1619345031.781886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f2000
success 0 0
1619345031.984886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00415000
success 0 0
1619345031.984886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041b000
success 0 0
1619345031.984886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00417000
success 0 0
1619345032.281886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f3000
success 0 0
1619345032.375886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002fc000
success 0 0
1619345032.750886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f4000
success 0 0
1619345032.765886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f6000
success 0 0
1619345032.906886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a80000
success 0 0
1619345033.046886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0030a000
success 0 0
1619345033.046886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00307000
success 0 0
1619345033.250886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f7000
success 0 0
1619345033.250886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f8000
success 0 0
1619345033.265886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002f9000
success 0 0
1619345033.281886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00306000
success 0 0
1619345034.500886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a81000
success 0 0
1619345034.578886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cc0000
success 0 0
1619345034.687886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x024b1000
success 0 0
1619345034.765886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a82000
success 0 0
1619345034.968886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cc1000
success 0 0
1619345034.968886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cc2000
success 0 0
1619345034.984886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a83000
success 0 0
1619345035.000886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a84000
success 0 0
1619345035.000886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a85000
success 0 0
1619345035.015886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a86000
success 0 0
1619345035.015886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a87000
success 0 0
1619345035.140886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cc3000
success 0 0
1619345035.187886
NtAllocateVirtualMemory
process_identifier: 284
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a88000
success 0 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x044f0178
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x044f01a0
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x044f01c8
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x045435fe
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 11
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x045435f2
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 72
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x044f0208
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04534398
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x045343b8
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x045343c0
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x045343c4
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x045343cc
failed 3221225550 0
1619345035.343886
NtProtectVirtualMemory
process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x045343d0
failed 3221225550 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (3 个事件)
cmdline schtasks.exe /Create /TN "Updates\ppYmlOxksNObxX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFDB4.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ppYmlOxksNObxX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFDB4.tmp"
cmdline "powershell" Get-MpPreference -verbose
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619345055.984886
CreateProcessInternalW
thread_identifier: 364
thread_handle: 0x0000027c
process_identifier: 2264
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell" Get-MpPreference -verbose
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000288
inherit_handles: 1
success 1 0
1619345075.546886
ShellExecuteExW
parameters: /Create /TN "Updates\ppYmlOxksNObxX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFDB4.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.001627677151741 section {'size_of_data': '0x00091e00', 'virtual_address': '0x00002000', 'entropy': 7.001627677151741, 'name': '.text', 'virtual_size': '0x00091cc8'} description A section with a high entropy has been found
entropy 0.9965841161400513 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)
Time & API Arguments Status Return Repeated
1619345035.390886
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619349565.422626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619349584.969375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (3 个事件)
cmdline schtasks.exe /Create /TN "Updates\ppYmlOxksNObxX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFDB4.tmp"
cmdline REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ppYmlOxksNObxX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFDB4.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619345077.921886
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619349596.844375
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description RegSvcs.exe tried to sleep 2728182 seconds, actually delayed analysis time by 2728182 seconds
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL˜^à  ®¯ À@ @…T¯WÀ(à  H.text´  `.rsrc(À’@@.reloc à˜@B
process_handle: 0x000003e4
base_address: 0x00400000
success 1 0
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer:  €P€8€€h€ Àœ<Ãêœ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d"InternalNameOGrWtTkAkBcapYrpmBAzEmOYXbXnL.exe(LegalCopyright l"OriginalFilenameOGrWtTkAkBcapYrpmBAzEmOYXbXnL.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000003e4
base_address: 0x0044c000
success 1 0
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer:   °?
process_handle: 0x000003e4
base_address: 0x0044e000
success 1 0
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer: @
process_handle: 0x000003e4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL˜^à  ®¯ À@ @…T¯WÀ(à  H.text´  `.rsrc(À’@@.reloc à˜@B
process_handle: 0x000003e4
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 284 called NtSetContextThread to modify thread in remote process 2536
Time & API Arguments Status Return Repeated
1619345077.921886
NtSetContextThread
thread_handle: 0x00000390
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4501422
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2536
success 0 0
Powershell script adds registry entries (1 个事件)
cmd schtasks.exe /create /tn "updates\ppymloxksnobxx" /xml "c:\users\administrator.oskar-pc\appdata\local\temp\tmpfdb4.tmp"reg add hkcu\software\microsoft\windows\currentversion\policies\explorer /v norun /t reg_dword /d 1 /f"c:\windows\system32\schtasks.exe" /create /tn "updates\ppymloxksnobxx" /xml "c:\users\administrator.oskar-pc\appdata\local\temp\tmpfdb4.tmp""powershell" get-mppreference -verbose"{path}"
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 284 resumed a thread in remote process 2536
Time & API Arguments Status Return Repeated
1619345078.171886
NtResumeThread
thread_handle: 0x00000390
suspend_count: 1
process_identifier: 2536
success 0 0
Disables Windows Security features (4 个事件)
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
Executed a process and injected code into it, probably while unpacking (33 个事件)
Time & API Arguments Status Return Repeated
1619345031.500886
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 284
success 0 0
1619345031.515886
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 284
success 0 0
1619345031.546886
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 284
success 0 0
1619345035.515886
NtResumeThread
thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 284
success 0 0
1619345035.531886
NtResumeThread
thread_handle: 0x00000254
suspend_count: 1
process_identifier: 284
success 0 0
1619345055.984886
CreateProcessInternalW
thread_identifier: 364
thread_handle: 0x0000027c
process_identifier: 2264
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell" Get-MpPreference -verbose
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000288
inherit_handles: 1
success 1 0
1619345075.531886
CreateProcessInternalW
thread_identifier: 2452
thread_handle: 0x0000039c
process_identifier: 2516
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ppYmlOxksNObxX" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFDB4.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000003d4
inherit_handles: 0
success 1 0
1619345077.906886
CreateProcessInternalW
thread_identifier: 2468
thread_handle: 0x00000390
process_identifier: 2536
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003e4
inherit_handles: 0
success 1 0
1619345077.921886
NtGetContextThread
thread_handle: 0x00000390
success 0 0
1619345077.921886
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL˜^à  ®¯ À@ @…T¯WÀ(à  H.text´  `.rsrc(À’@@.reloc à˜@B
process_handle: 0x000003e4
base_address: 0x00400000
success 1 0
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer:
process_handle: 0x000003e4
base_address: 0x00402000
success 1 0
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer:  €P€8€€h€ Àœ<Ãêœ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d"InternalNameOGrWtTkAkBcapYrpmBAzEmOYXbXnL.exe(LegalCopyright l"OriginalFilenameOGrWtTkAkBcapYrpmBAzEmOYXbXnL.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x000003e4
base_address: 0x0044c000
success 1 0
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer:   °?
process_handle: 0x000003e4
base_address: 0x0044e000
success 1 0
1619345077.921886
WriteProcessMemory
process_identifier: 2536
buffer: @
process_handle: 0x000003e4
base_address: 0x7efde008
success 1 0
1619345077.921886
NtSetContextThread
thread_handle: 0x00000390
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4501422
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2536
success 0 0
1619345078.171886
NtResumeThread
thread_handle: 0x00000390
suspend_count: 1
process_identifier: 2536
success 0 0
1619345078.171886
NtResumeThread
thread_handle: 0x000003f8
suspend_count: 1
process_identifier: 284
success 0 0
1619349564.516626
NtResumeThread
thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 2264
success 0 0
1619349564.563626
NtResumeThread
thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 2264
success 0 0
1619349568.157626
NtResumeThread
thread_handle: 0x00000460
suspend_count: 1
process_identifier: 2264
success 0 0
1619349568.828626
NtResumeThread
thread_handle: 0x000003b8
suspend_count: 1
process_identifier: 2264
success 0 0
1619349584.078375
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2536
success 0 0
1619349584.094375
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2536
success 0 0
1619349584.188375
NtResumeThread
thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2536
success 0 0
1619349586.407375
NtResumeThread
thread_handle: 0x000002e0
suspend_count: 1
process_identifier: 2536
success 0 0
1619349586.469375
NtResumeThread
thread_handle: 0x00000310
suspend_count: 1
process_identifier: 2536
success 0 0
1619349594.297375
NtResumeThread
thread_handle: 0x00000364
suspend_count: 1
process_identifier: 2536
success 0 0
1619349594.297375
NtResumeThread
thread_handle: 0x00000378
suspend_count: 1
process_identifier: 2536
success 0 0
1619349594.453375
CreateProcessInternalW
thread_identifier: 2960
thread_handle: 0x000003b0
process_identifier: 952
current_directory:
filepath:
track: 1
command_line: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000003b4
inherit_handles: 0
success 1 0
1619349595.313375
NtResumeThread
thread_handle: 0x000003c0
suspend_count: 1
process_identifier: 2536
success 0 0
1619349595.532375
NtResumeThread
thread_handle: 0x000003d8
suspend_count: 1
process_identifier: 2536
success 0 0
1619349596.313375
NtResumeThread
thread_handle: 0x000003dc
suspend_count: 1
process_identifier: 2536
success 0 0
File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.33673275
FireEye Generic.mg.3aafc011ad15031c
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.GenericKD.33673275
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 00564aaa1 )
Alibaba Trojan:Win32/starter.ali1000139
K7GW Trojan ( 00564aaa1 )
Cybereason malicious.1ad150
Arcabit Trojan.Generic.D201D03B
Cyren W32/MSIL_Kryptik.ANQ.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:RATX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.33673275
Paloalto generic.ml
Ad-Aware Trojan.GenericKD.33673275
Emsisoft Trojan.GenericKD.33673275 (B)
F-Secure Trojan.TR/Dropper.MSIL.uswlm
DrWeb Trojan.PackedNET.278
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.MSIL.GOLROTED.BABDJ
McAfee-GW-Edition BehavesLike.Win32.Generic.hh
Sophos Mal/Generic-R + Troj/HawkEy-GG
Ikarus Trojan-Spy.Agent
Jiangmin Trojan.PSW.MSIL.baoy
Webroot W32.Trojan.Gen
Avira TR/Dropper.MSIL.uswlm
MAX malware (ai score=84)
Microsoft Trojan:Win32/CryptInject!MSR
AegisLab Trojan.MSIL.Agensla.i!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.33673275
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.MSILKrypt.R333080
McAfee Trojan-FSEQ!3AAFC011AD15
VBA32 TScope.Trojan.MSIL
Malwarebytes Bladabindi.Backdoor.Njrat.DDS
ESET-NOD32 a variant of MSIL/Kryptik.VMD
TrendMicro-HouseCall TrojanSpy.MSIL.GOLROTED.BABDJ
Tencent Win32.Trojan.Inject.Auto
Yandex Trojan.Igent.bTzkvt.9
MaxSecure Trojan.Malware.74499699.susgen
Fortinet MSIL/GenKryptik.EIOL!tr
AVG Win32:RATX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-16 16:02:16

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.