15.0
0-day
55 个模型检测该样本为恶意!
重新分析
更多

6cef6b24f9c34ef5503ed6ba52ded7847882e7599bd39954ff9d3409042eeb74

4f06e6718d72fa923363b59a6268e008.exe

分析耗时

77s

最近分析

文件大小

422.0KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=89 ALI1000139 AM0@AEM3UEM ATTRIBUTE CONFIDENCE CRYSAN DKFA ELDORADO ENZE FANDANGO FAREIT GDSDA GENCIRC GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HNZLNZ KCLOUD KRYPT KRYPTIK LKBIP LOKIBOT MALWARE@#1FILWFLZFHX1C MALWAREX NANOCORE NEGASTEAL PACKEDNET QVM03 R + TROJ R344128 SCORE STARTER TKANJA0AMEB TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FWW!4F06E6718D72 20201227 6.0.6.653
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20201228 21.1.5827.0
Alibaba Trojan:Win32/starter.ali1000139 20190527 0.3.0.5
Kingsoft Win32.Hack.Undef.(kcloud) 20201228 2017.9.26.565
Tencent Malware.Win32.Gencirc.11a681b2 20201228 1.0.0.1
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1619432464.894249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619432471.644626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619432473.534001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619426980.475793
IsDebuggerPresent
failed 0 0
1619426980.475793
IsDebuggerPresent
failed 0 0
1619432469.003876
IsDebuggerPresent
failed 0 0
1619432469.003876
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619432465.503249
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\LnJAltu"。
console_handle: 0x00000007
success 1 0
1619432471.894626
WriteConsoleW
buffer: 成功: 成功创建计划任务 "DSL Service"。
console_handle: 0x00000007
success 1 0
1619432473.831001
WriteConsoleW
buffer: 成功: 成功创建计划任务 "DSL Service Task"。
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619426980.506793
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain ugorji.ddns.net
Allocates read-write-execute memory (usually to unpack itself) (50 out of 134 个事件)
Time & API Arguments Status Return Repeated
1619426979.631793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006b0000
success 0 0
1619426979.631793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007d0000
success 0 0
1619426980.116793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619426980.116793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02040000
success 0 0
1619426980.272793
NtProtectVirtualMemory
process_identifier: 3064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619426980.475793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02100000
success 0 0
1619426980.475793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02240000
success 0 0
1619426980.475793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059a000
success 0 0
1619426980.475793
NtProtectVirtualMemory
process_identifier: 3064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619426980.475793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00592000
success 0 0
1619426980.772793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a2000
success 0 0
1619426980.866793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c5000
success 0 0
1619426980.866793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cb000
success 0 0
1619426980.866793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c7000
success 0 0
1619426980.975793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a3000
success 0 0
1619426981.006793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ac000
success 0 0
1619426981.053793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00810000
success 0 0
1619426981.084793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a4000
success 0 0
1619426981.084793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00811000
success 0 0
1619426981.131793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00812000
success 0 0
1619426981.631793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a5000
success 0 0
1619426981.647793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619426981.772793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a8000
success 0 0
1619426982.116793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a9000
success 0 0
1619426982.256793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fa0000
success 0 0
1619426982.256793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005aa000
success 0 0
1619426982.334793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00813000
success 0 0
1619427015.834793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059c000
success 0 0
1619427015.881793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b6000
success 0 0
1619427015.897793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ba000
success 0 0
1619427015.897793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b7000
success 0 0
1619427015.912793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04db0000
success 0 0
1619427015.959793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04db1000
success 0 0
1619427015.975793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04db2000
success 0 0
1619427015.975793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00814000
success 0 0
1619427015.991793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02241000
success 0 0
1619427015.991793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02242000
success 0 0
1619427016.006793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02243000
success 0 0
1619427016.006793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02244000
success 0 0
1619427016.022793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04db3000
success 0 0
1619427016.053793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00815000
success 0 0
1619427016.053793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02245000
success 0 0
1619427016.053793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02246000
success 0 0
1619427016.053793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02247000
success 0 0
1619427016.053793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0224b000
success 0 0
1619427016.053793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0225c000
success 0 0
1619427016.069793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00816000
success 0 0
1619427016.131793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00817000
success 0 0
1619427016.131793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04db4000
success 0 0
1619427019.116793
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00818000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a suspicious process (4 个事件)
cmdline "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD66.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LnJAltu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE181.tmp"
cmdline "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp47B.tmp"
cmdline schtasks.exe /Create /TN "Updates\LnJAltu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE181.tmp"
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1619427016.756793
ShellExecuteExW
parameters: /Create /TN "Updates\LnJAltu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE181.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
1619432471.363876
CreateProcessInternalW
thread_identifier: 340
thread_handle: 0x0000025c
process_identifier: 2544
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD66.tmp"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000264
inherit_handles: 1
success 1 0
1619432473.238876
CreateProcessInternalW
thread_identifier: 3108
thread_handle: 0x0000025c
process_identifier: 3104
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp47B.tmp"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000294
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.860273753333882 section {'size_of_data': '0x00058400', 'virtual_address': '0x00002000', 'entropy': 7.860273753333882, 'name': '.text', 'virtual_size': '0x00058344'} description A section with a high entropy has been found
entropy 0.8374851720047449 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619427019.272793
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619432475.253876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (8 个事件)
Time & API Arguments Status Return Repeated
1619427019.522793
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1036
process_handle: 0x0000037c
failed 0 0
1619427019.522793
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1036
process_handle: 0x0000037c
success 0 0
1619427019.803793
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2168
process_handle: 0x00000384
failed 0 0
1619427019.803793
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2168
process_handle: 0x00000384
success 0 0
1619427020.116793
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2956
process_handle: 0x0000038c
failed 0 0
1619427020.116793
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2956
process_handle: 0x0000038c
success 0 0
1619427020.397793
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2412
process_handle: 0x00000394
failed 0 0
1619427020.397793
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2412
process_handle: 0x00000394
success 0 0
Uses Windows utilities for basic Windows functionality (4 个事件)
cmdline "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD66.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LnJAltu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE181.tmp"
cmdline "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp47B.tmp"
cmdline schtasks.exe /Create /TN "Updates\LnJAltu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE181.tmp"
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619427019.256793
NtAllocateVirtualMemory
process_identifier: 1036
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000374
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427019.616793
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000378
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427019.897793
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000380
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427020.178793
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000388
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427020.537793
NtAllocateVirtualMemory
process_identifier: 2548
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000390
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619432475.659876
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 4f06e6718d72fa923363b59a6268e008.exe tried to sleep 5456397 seconds, actually delayed analysis time by 5456397 seconds
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service reg_value C:\Program Files (x86)\DSL Service\dslsvc.exe
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE181.tmp
Manipulates memory of a non-child process indicative of process injection (8 个事件)
Process injection Process 3064 manipulating memory of non-child process 1036
Process injection Process 3064 manipulating memory of non-child process 2168
Process injection Process 3064 manipulating memory of non-child process 2956
Process injection Process 3064 manipulating memory of non-child process 2412
Time & API Arguments Status Return Repeated
1619427019.256793
NtAllocateVirtualMemory
process_identifier: 1036
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000374
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427019.616793
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000378
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427019.897793
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000380
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427020.178793
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000388
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èb’ç @ €8çW ¸_  H.text˜Ç È `.reloc Ê@B.rsrc¸_ `Ì@@
process_handle: 0x00000390
base_address: 0x00400000
success 1 0
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer: à ”7
process_handle: 0x00000390
base_address: 0x00420000
success 1 0
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer: @
process_handle: 0x00000390
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èb’ç @ €8çW ¸_  H.text˜Ç È `.reloc Ê@B.rsrc¸_ `Ì@@
process_handle: 0x00000390
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 3064 called NtSetContextThread to modify thread in remote process 2548
Time & API Arguments Status Return Repeated
1619427020.537793
NtSetContextThread
thread_handle: 0x00000394
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2548
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 3064 resumed a thread in remote process 2548
Time & API Arguments Status Return Repeated
1619427020.834793
NtResumeThread
thread_handle: 0x00000394
suspend_count: 1
process_identifier: 2548
success 0 0
Executed a process and injected code into it, probably while unpacking (40 个事件)
Time & API Arguments Status Return Repeated
1619426980.475793
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3064
success 0 0
1619426980.491793
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 3064
success 0 0
1619426980.522793
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 3064
success 0 0
1619427016.756793
CreateProcessInternalW
thread_identifier: 300
thread_handle: 0x00000328
process_identifier: 920
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LnJAltu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpE181.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000364
inherit_handles: 0
success 1 0
1619427019.256793
CreateProcessInternalW
thread_identifier: 1124
thread_handle: 0x0000031c
process_identifier: 1036
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000374
inherit_handles: 0
success 1 0
1619427019.256793
NtGetContextThread
thread_handle: 0x0000031c
success 0 0
1619427019.256793
NtAllocateVirtualMemory
process_identifier: 1036
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000374
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427019.616793
CreateProcessInternalW
thread_identifier: 1244
thread_handle: 0x0000037c
process_identifier: 2168
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000378
inherit_handles: 0
success 1 0
1619427019.616793
NtGetContextThread
thread_handle: 0x0000037c
success 0 0
1619427019.616793
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000378
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427019.897793
CreateProcessInternalW
thread_identifier: 2948
thread_handle: 0x00000384
process_identifier: 2956
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000380
inherit_handles: 0
success 1 0
1619427019.897793
NtGetContextThread
thread_handle: 0x00000384
success 0 0
1619427019.897793
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000380
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427020.178793
CreateProcessInternalW
thread_identifier: 952
thread_handle: 0x0000038c
process_identifier: 2412
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000388
inherit_handles: 0
success 1 0
1619427020.178793
NtGetContextThread
thread_handle: 0x0000038c
success 0 0
1619427020.178793
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000388
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619427020.522793
CreateProcessInternalW
thread_identifier: 300
thread_handle: 0x00000394
process_identifier: 2548
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4f06e6718d72fa923363b59a6268e008.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000390
inherit_handles: 0
success 1 0
1619427020.537793
NtGetContextThread
thread_handle: 0x00000394
success 0 0
1619427020.537793
NtAllocateVirtualMemory
process_identifier: 2548
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000390
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡'éTà Èb’ç @ €8çW ¸_  H.text˜Ç È `.reloc Ê@B.rsrc¸_ `Ì@@
process_handle: 0x00000390
base_address: 0x00400000
success 1 0
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer:
process_handle: 0x00000390
base_address: 0x00402000
success 1 0
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer: à ”7
process_handle: 0x00000390
base_address: 0x00420000
success 1 0
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer:
process_handle: 0x00000390
base_address: 0x00422000
success 1 0
1619427020.537793
WriteProcessMemory
process_identifier: 2548
buffer: @
process_handle: 0x00000390
base_address: 0x7efde008
success 1 0
1619427020.537793
NtSetContextThread
thread_handle: 0x00000394
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4319122
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2548
success 0 0
1619427020.834793
NtResumeThread
thread_handle: 0x00000394
suspend_count: 1
process_identifier: 2548
success 0 0
1619427020.834793
NtResumeThread
thread_handle: 0x000003a8
suspend_count: 1
process_identifier: 3064
success 0 0
1619427020.850793
NtGetContextThread
thread_handle: 0x000003a8
success 0 0
1619427020.850793
NtGetContextThread
thread_handle: 0x000003a8
success 0 0
1619427020.850793
NtResumeThread
thread_handle: 0x000003a8
suspend_count: 1
process_identifier: 3064
success 0 0
1619432469.003876
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2548
success 0 0
1619432469.003876
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2548
success 0 0
1619432469.191876
NtResumeThread
thread_handle: 0x000001a0
suspend_count: 1
process_identifier: 2548
success 0 0
1619432471.363876
CreateProcessInternalW
thread_identifier: 340
thread_handle: 0x0000025c
process_identifier: 2544
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpFD66.tmp"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000264
inherit_handles: 1
success 1 0
1619432473.238876
CreateProcessInternalW
thread_identifier: 3108
thread_handle: 0x0000025c
process_identifier: 3104
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp47B.tmp"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000294
inherit_handles: 1
success 1 0
1619432475.066876
NtResumeThread
thread_handle: 0x000002bc
suspend_count: 1
process_identifier: 2548
success 0 0
1619432475.066876
NtResumeThread
thread_handle: 0x000002d0
suspend_count: 1
process_identifier: 2548
success 0 0
1619432475.144876
NtResumeThread
thread_handle: 0x000002f0
suspend_count: 1
process_identifier: 2548
success 0 0
1619432475.613876
NtResumeThread
thread_handle: 0x00000310
suspend_count: 1
process_identifier: 2548
success 0 0
1619432479.331876
NtResumeThread
thread_handle: 0x00000378
suspend_count: 1
process_identifier: 2548
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Fandango.1
FireEye Generic.mg.4f06e6718d72fa92
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FWW!4F06E6718D72
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.MSIL.Crysan.m!c
Sangfor Malware
K7AntiVirus Trojan ( 0056a7b51 )
BitDefender Gen:Variant.Fandango.1
K7GW Trojan ( 0056a7b51 )
CrowdStrike win/malicious_confidence_70% (W)
Cyren W32/MSIL_Kryptik.BCN.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:MalwareX-gen [Trj]
Kaspersky HEUR:Backdoor.MSIL.Crysan.gen
Alibaba Trojan:Win32/starter.ali1000139
NANO-Antivirus Trojan.Win32.Crysan.hnzlnz
Rising Backdoor.Crysan!8.10ECA (TFE:C:tkANJA0AmEB)
Ad-Aware Gen:Variant.Fandango.1
Sophos Mal/Generic-R + Troj/MSIL-PHV
Comodo Malware@#1filwflzfhx1c
F-Secure Trojan.TR/AD.Nanocore.lkbip
DrWeb Trojan.PackedNET.380
TrendMicro TrojanSpy.MSIL.NEGASTEAL.SME
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Emsisoft Gen:Variant.Fandango.1 (B)
Ikarus Trojan.MSIL.Krypt
GData Gen:Variant.Fandango.1
Jiangmin Backdoor.MSIL.dkfa
Avira TR/AD.Nanocore.lkbip
MAX malware (ai score=89)
Antiy-AVL Trojan[Spy]/MSIL.AgentTesla
Kingsoft Win32.Hack.Undef.(kcloud)
Arcabit Trojan.Fandango.1
ZoneAlarm HEUR:Backdoor.MSIL.Crysan.gen
Microsoft TrojanSpy:MSIL/AgentTesla.CK!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Lokibot.R344128
BitDefenderTheta Gen:NN.ZemsilF.34700.Am0@aeM3uEm
ALYac Gen:Variant.Fandango.1
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
Panda Trj/GdSda.A
ESET-NOD32 a variant of MSIL/Kryptik.WUA
TrendMicro-HouseCall TrojanSpy.MSIL.NEGASTEAL.SME
Tencent Malware.Win32.Gencirc.11a681b2
eGambit Unsafe.AI_Score_99%
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-10 14:37:13

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 53237 8.8.4.4 53
192.168.56.101 53657 8.8.4.4 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.