12.4
0-day
54 个模型检测该样本为恶意!
重新分析
更多

92f6d1e82205b64904076dbcb9909bc3ff06cd4c58c87518470eefdd8b4df084

531490e562cff3b98b57d65c7ef93801.exe

分析耗时

76s

最近分析

文件大小

692.0KB
静态报毒 动态报毒 100% ACCY AGENSLA AGENTTESLA AI SCORE=83 ATTRIBUTE AUTO BTU670 CLOUD CONFIDENCE ELDORADO GDSDA GENERICKD GENERICRXKY HIGH CONFIDENCE HIGHCONFIDENCE HLOVRH IGENT KRYPTIK MALICIOUS PE NANOCORE PWSX QVM03 RM0@A06DE2O SCORE THFOIBO TROJANPSW UNSAFE WACATAC ZEMSILF ZVMHJ 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKY-NI!531490E562CF 20200714 6.0.6.653
Alibaba TrojanPSW:MSIL/NanoCore.0468dc6d 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20200714 18.4.3895.0
Kingsoft 20200714 2013.8.14.323
Tencent Win32.Trojan.Inject.Auto 20200714 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (5 个事件)
Time & API Arguments Status Return Repeated
1619430322.084126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619430337.100126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619430337.881126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619430339.381126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619430339.522126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (11 个事件)
Time & API Arguments Status Return Repeated
1619426979.458279
IsDebuggerPresent
failed 0 0
1619426980.427279
IsDebuggerPresent
failed 0 0
1619426980.927279
IsDebuggerPresent
failed 0 0
1619426981.505279
IsDebuggerPresent
failed 0 0
1619426981.927279
IsDebuggerPresent
failed 0 0
1619426982.505279
IsDebuggerPresent
failed 0 0
1619426982.927279
IsDebuggerPresent
failed 0 0
1619426983.505279
IsDebuggerPresent
failed 0 0
1619426983.927279
IsDebuggerPresent
failed 0 0
1619426984.505279
IsDebuggerPresent
failed 0 0
1619430324.741126
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619430322.600126
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\jifTiSDFPNjWGO"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619426979.849279
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1619430339.303126
__exception__
stacktrace: 
0x235ebf5
0x235e034
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3993960
registers.edi: 3993988
registers.eax: 0
registers.ebp: 3994004
registers.edx: 158
registers.ebx: 0
registers.esi: 41601508
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 57 f1 a9 c9 e9 62 ff
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x235efe5
success 0 0
1619430360.819126
__exception__
stacktrace: 
0x5601651
0x235e7c2
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3992396
registers.edi: 1641419559
registers.eax: 3
registers.ebp: 3992452
registers.edx: 0
registers.ebx: 1966197852
registers.esi: 42839964
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 b8 ad 4c c9 02 e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x55e427d
success 0 0
1619430360.991126
__exception__
stacktrace: 
0x235e7c2
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3992460
registers.edi: 41847552
registers.eax: 0
registers.ebp: 3994052
registers.edx: 0
registers.ebx: 940570513
registers.esi: 41770892
registers.ecx: 42881476
exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 f8 f9 ff ff
exception.instruction: cmp dword ptr [eax + 8], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x56016e1
success 0 0
1619430360.991126
__exception__
stacktrace: 
0x5601cce
0x235e7c2
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3992376
registers.edi: 3992436
registers.eax: 0
registers.ebp: 3992452
registers.edx: 3992344
registers.ebx: 940570513
registers.esi: 42891148
registers.ecx: 0
exception.instruction_r: 39 09 e8 e2 fe a7 6c 89 45 b8 33 d2 89 55 dc 8b
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x55e493f
success 0 0
1619430361.022126
__exception__
stacktrace: 
0x5601f1a
0x235e7c2
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3992376
registers.edi: 774508419
registers.eax: 0
registers.ebp: 3992452
registers.edx: 42974684
registers.ebx: 42969920
registers.esi: 42971796
registers.ecx: 1911774966
exception.instruction_r: 39 00 68 ff ff ff 7f 6a 00 8b 4d c8 e8 95 bd b1
exception.instruction: cmp dword ptr [eax], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x55e83da
success 0 0
1619430361.037126
__exception__
stacktrace: 
0x5602013
0x235e7c2
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3992332
registers.edi: 0
registers.eax: 0
registers.ebp: 3992452
registers.edx: 3992300
registers.ebx: 0
registers.esi: 41770892
registers.ecx: 0
exception.instruction_r: 39 09 e8 f5 be a7 6c 83 78 04 00 0f 84 41 04 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x55e892c
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 127 个事件)
Time & API Arguments Status Return Repeated
1619426978.583279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00510000
success 0 0
1619426978.583279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00540000
success 0 0
1619426979.239279
NtProtectVirtualMemory
process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619426979.458279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052a000
success 0 0
1619426979.458279
NtProtectVirtualMemory
process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619426979.458279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00522000
success 0 0
1619426979.630279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00532000
success 0 0
1619426979.708279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00533000
success 0 0
1619426979.708279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ab000
success 0 0
1619426979.708279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619426979.724279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053c000
success 0 0
1619426979.770279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00950000
success 0 0
1619426979.849279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00534000
success 0 0
1619426979.849279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00951000
success 0 0
1619426980.099279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00535000
success 0 0
1619426980.114279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00952000
success 0 0
1619426980.145279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619426980.208279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059a000
success 0 0
1619426980.239279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00592000
success 0 0
1619426980.286279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a5000
success 0 0
1619426980.567279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00536000
success 0 0
1619426980.645279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058a000
success 0 0
1619426980.645279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00587000
success 0 0
1619426980.645279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052b000
success 0 0
1619426980.661279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00538000
success 0 0
1619426980.755279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00586000
success 0 0
1619426980.770279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00953000
success 0 0
1619426980.974279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00541000
success 0 0
1619426981.020279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x06c00000
success 0 0
1619426981.052279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00954000
success 0 0
1619426981.067279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00539000
success 0 0
1619426981.067279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x06cb0000
success 0 0
1619426981.067279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x07400000
success 0 0
1619426981.067279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075c0000
success 0 0
1619426981.067279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075c1000
success 0 0
1619426981.099279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075c2000
success 0 0
1619426981.099279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075c3000
success 0 0
1619426981.114279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075c4000
success 0 0
1619426981.114279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075c5000
success 0 0
1619426981.114279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075c6000
success 0 0
1619426981.114279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075ca000
success 0 0
1619426981.114279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075db000
success 0 0
1619426981.114279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00955000
success 0 0
1619426981.130279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075dc000
success 0 0
1619426981.130279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075dd000
success 0 0
1619426981.145279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x075de000
success 0 0
1619426981.145279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00956000
success 0 0
1619426981.192279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053b000
success 0 0
1619426981.302279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00523000
success 0 0
1619426981.317279
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00957000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jifTiSDFPNjWGO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5C92.tmp"
cmdline schtasks.exe /Create /TN "Updates\jifTiSDFPNjWGO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5C92.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619426981.802279
ShellExecuteExW
parameters: /Create /TN "Updates\jifTiSDFPNjWGO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5C92.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.940847421240188 section {'size_of_data': '0x00052000', 'virtual_address': '0x00002000', 'entropy': 7.940847421240188, 'name': '.text', 'virtual_size': '0x00051f84'} description A section with a high entropy has been found
entropy 0.47433116413593635 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619426980.177279
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619430336.881126
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jifTiSDFPNjWGO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5C92.tmp"
cmdline schtasks.exe /Create /TN "Updates\jifTiSDFPNjWGO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5C92.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619426984.208279
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 531490e562cff3b98b57d65c7ef93801.exe tried to sleep 2728246 seconds, actually delayed analysis time by 2728246 seconds
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5C92.tmp
Harvests credentials from local FTP client softwares (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619426984.208279
WriteProcessMemory
process_identifier: 2364
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELBmÝ^à X>w €@ À@…ävW€   H.textDW X `.rsrc€Z@@.reloc  ^@B
process_handle: 0x000003b4
base_address: 0x00400000
success 1 0
1619426984.224279
WriteProcessMemory
process_identifier: 2364
buffer: €0€HX€´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p(InternalNametdYBMNEAjKpPkCvoTkjOgxTeawQGHXQgMxG.exe(LegalCopyright x(OriginalFilenametdYBMNEAjKpPkCvoTkjOgxTeawQGHXQgMxG.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000003b4
base_address: 0x00448000
success 1 0
1619426984.224279
WriteProcessMemory
process_identifier: 2364
buffer: p @7
process_handle: 0x000003b4
base_address: 0x0044a000
success 1 0
1619426984.224279
WriteProcessMemory
process_identifier: 2364
buffer: @
process_handle: 0x000003b4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619426984.208279
WriteProcessMemory
process_identifier: 2364
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELBmÝ^à X>w €@ À@…ävW€   H.textDW X `.rsrc€Z@@.reloc  ^@B
process_handle: 0x000003b4
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2528 called NtSetContextThread to modify thread in remote process 2364
Time & API Arguments Status Return Repeated
1619426984.224279
NtSetContextThread
thread_handle: 0x00000360
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4486974
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2364
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2528 resumed a thread in remote process 2364
Time & API Arguments Status Return Repeated
1619426984.505279
NtResumeThread
thread_handle: 0x00000360
suspend_count: 1
process_identifier: 2364
success 0 0
Executed a process and injected code into it, probably while unpacking (21 个事件)
Time & API Arguments Status Return Repeated
1619426979.458279
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2528
success 0 0
1619426979.505279
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2528
success 0 0
1619426980.380279
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2528
success 0 0
1619426980.411279
NtResumeThread
thread_handle: 0x00000240
suspend_count: 1
process_identifier: 2528
success 0 0
1619426981.802279
CreateProcessInternalW
thread_identifier: 2256
thread_handle: 0x0000036c
process_identifier: 1912
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jifTiSDFPNjWGO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp5C92.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000003a4
inherit_handles: 0
success 1 0
1619426984.208279
CreateProcessInternalW
thread_identifier: 2996
thread_handle: 0x00000360
process_identifier: 2364
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\531490e562cff3b98b57d65c7ef93801.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\531490e562cff3b98b57d65c7ef93801.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000003b4
inherit_handles: 0
success 1 0
1619426984.208279
NtGetContextThread
thread_handle: 0x00000360
success 0 0
1619426984.208279
NtAllocateVirtualMemory
process_identifier: 2364
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619426984.208279
WriteProcessMemory
process_identifier: 2364
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELBmÝ^à X>w €@ À@…ävW€   H.textDW X `.rsrc€Z@@.reloc  ^@B
process_handle: 0x000003b4
base_address: 0x00400000
success 1 0
1619426984.208279
WriteProcessMemory
process_identifier: 2364
buffer:
process_handle: 0x000003b4
base_address: 0x00402000
success 1 0
1619426984.224279
WriteProcessMemory
process_identifier: 2364
buffer: €0€HX€´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p(InternalNametdYBMNEAjKpPkCvoTkjOgxTeawQGHXQgMxG.exe(LegalCopyright x(OriginalFilenametdYBMNEAjKpPkCvoTkjOgxTeawQGHXQgMxG.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000003b4
base_address: 0x00448000
success 1 0
1619426984.224279
WriteProcessMemory
process_identifier: 2364
buffer: p @7
process_handle: 0x000003b4
base_address: 0x0044a000
success 1 0
1619426984.224279
WriteProcessMemory
process_identifier: 2364
buffer: @
process_handle: 0x000003b4
base_address: 0x7efde008
success 1 0
1619426984.224279
NtSetContextThread
thread_handle: 0x00000360
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4486974
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2364
success 0 0
1619426984.505279
NtResumeThread
thread_handle: 0x00000360
suspend_count: 1
process_identifier: 2364
success 0 0
1619430324.741126
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2364
success 0 0
1619430324.787126
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 2364
success 0 0
1619430337.803126
NtResumeThread
thread_handle: 0x000002cc
suspend_count: 1
process_identifier: 2364
success 0 0
1619430337.819126
NtResumeThread
thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2364
success 0 0
1619430339.350126
NtResumeThread
thread_handle: 0x00000368
suspend_count: 1
process_identifier: 2364
success 0 0
1619430372.522126
NtResumeThread
thread_handle: 0x00000300
suspend_count: 1
process_identifier: 2364
success 0 0
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
MicroWorld-eScan Trojan.GenericKD.33986118
FireEye Generic.mg.531490e562cff3b9
CAT-QuickHeal Trojan.Multi
McAfee GenericRXKY-NI!531490E562CF
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 00567de21 )
Alibaba TrojanPSW:MSIL/NanoCore.0468dc6d
K7GW Trojan ( 00567de21 )
Cybereason malicious.a4387d
TrendMicro Trojan.MSIL.WACATAC.THFOIBO
Cyren W32/MSIL_Kryptik.AVB.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.WFJ
APEX Malicious
Avast Win32:PWSX-gen [Trj]
GData Trojan.GenericKD.33986118
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.33986118
NANO-Antivirus Trojan.Win32.Kryptik.hlovrh
Paloalto generic.ml
Rising Trojan.Kryptik!8.8 (CLOUD)
Ad-Aware Trojan.GenericKD.33986118
Sophos Mal/Generic-S
F-Secure Trojan.TR/AD.AgentTesla.zvmhj
VIPRE Trojan.Win32.Generic!BT
Invincea heuristic
Trapmine suspicious.low.ml.score
Emsisoft Trojan.GenericKD.33986118 (B)
Ikarus Trojan.MSIL.Inject
F-Prot W32/MSIL_Kryptik.AVB.gen!Eldorado
Jiangmin Trojan.PSW.MSIL.accy
Webroot W32.Trojan.Gen
Avira TR/AD.AgentTesla.zvmhj
MAX malware (ai score=83)
Endgame malicious (high confidence)
Arcabit Trojan.Generic.D2069646
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
Microsoft Trojan:MSIL/NanoCore.VN!MTB
Cynet Malicious (score: 100)
ALYac Spyware.AgentTesla
Malwarebytes Trojan.Crypt.MSIL
TrendMicro-HouseCall Trojan.MSIL.WACATAC.THFOIBO
Tencent Win32.Trojan.Inject.Auto
Yandex Trojan.Igent.bTU670.14
SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_99%
Fortinet MSIL/Kryptik.WFJ!tr
BitDefenderTheta Gen:NN.ZemsilF.34134.Rm0@a06De2o
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-08 08:25:02

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.