13.2
0-day
57 个模型检测该样本为恶意!
重新分析
更多

2a44717f99e2446d315027f4cd90bfca21e77fcba2811ec556b1193de98b7d38

597e4ec93987eb13f905a15f11530e3c.exe

分析耗时

78s

最近分析

文件大小

445.5KB
静态报毒 动态报毒 100% AGENTTESLA AI SCORE=87 ARTEMIS BM0@AWWN3LN BTD180 CONFIDENCE EJLX ELDORADO GENERICKD GENKRYPTIK HEAPOVERRIDE HIGH CONFIDENCE HJOLPL IGENT KRYPT KRYPTIK MALICIOUS PE MALWARE@#2Z8O9CPCICEOM NANOCORE PWSX R + TROJ R06EC0PI220 RRAT SCORE SIGGEN9 SKEEYAH STATIC AI STEALE SUSGEN SWVE UNSAFE YAKBEEXMSIL YHIEP ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:MSIL/Kryptik.55fc2a4c 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201228 21.1.5827.0
Tencent Msil.Trojan.Rrat.Swve 20201228 1.0.0.1
Kingsoft 20201228 2017.9.26.565
McAfee Artemis!597E4EC93987 20201228 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619525609.087626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525624.760126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525626.213126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619525627.650126
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619513304.897269
IsDebuggerPresent
failed 0 0
1619525611.994126
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619525609.602626
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\urZsqZHsklS"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619513305.647269
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1619525627.635126
__exception__
stacktrace: 
0x46cf5d6
0x46cea17
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1766180
registers.edi: 40407492
registers.eax: 0
registers.ebp: 1766224
registers.edx: 158
registers.ebx: 1766412
registers.esi: 1946637268
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc 69 c6 f5 17 56 eb 35 79
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x46cf9d2
success 0 0
1619525652.744126
__exception__
stacktrace: 
0x53a1fae
0x46cefe8
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1764460
registers.edi: 1764560
registers.eax: 0
registers.ebp: 1764576
registers.edx: 1764428
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
exception.instruction_r: 39 09 e8 c5 d2 cb 6c 83 78 04 00 0f 84 69 04 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x53a755c
success 0 0
1619525657.447126
__exception__
stacktrace: 
0x53a27a3
0x46cefe8
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1764496
registers.edi: 1764560
registers.eax: 0
registers.ebp: 1764576
registers.edx: 1764464
registers.ebx: 40638972
registers.esi: 41941920
registers.ecx: 0
exception.instruction_r: 39 09 e8 32 80 b6 6c 89 45 b4 33 d2 89 55 dc 8b
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x54fc7ef
success 0 0
1619525657.463126
__exception__
stacktrace: 
0x53a2944
0x46cefe8
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1764516
registers.edi: 40906356
registers.eax: 41980300
registers.ebp: 1764576
registers.edx: 41980300
registers.ebx: 40638972
registers.esi: 0
registers.ecx: 1911774966
exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 bb 6a c0 6c
exception.instruction: cmp dword ptr [esi], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x54fd6b5
success 0 0
1619525657.478126
__exception__
stacktrace: 
0x53a3140
0x46cefe8
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1764520
registers.edi: 42029328
registers.eax: 3
registers.ebp: 1764576
registers.edx: 0
registers.ebx: 40638972
registers.esi: 2031957520
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 b8 8c 5d 18 53 e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x54ff073
success 0 0
1619525657.619126
__exception__
stacktrace: 
0x46cefe8
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1764584
registers.edi: 289825833
registers.eax: 0
registers.ebp: 1766276
registers.edx: 12
registers.ebx: 40638972
registers.esi: 116440798
registers.ecx: 14
exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 e4 f9 ff ff
exception.instruction: cmp dword ptr [eax + 8], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x53a2de1
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 个事件)
Time & API Arguments Status Return Repeated
1619513304.100269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006c0000
success 0 0
1619513304.100269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a0000
success 0 0
1619513304.818269
NtProtectVirtualMemory
process_identifier: 2424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619513304.897269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619513304.897269
NtProtectVirtualMemory
process_identifier: 2424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619513304.897269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00532000
success 0 0
1619513305.240269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00542000
success 0 0
1619513305.428269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00543000
success 0 0
1619513305.443269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057b000
success 0 0
1619513305.443269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00577000
success 0 0
1619513305.490269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054c000
success 0 0
1619513305.568269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00780000
success 0 0
1619513305.615269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00781000
success 0 0
1619513305.631269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00782000
success 0 0
1619513305.631269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00783000
success 0 0
1619513305.662269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00784000
success 0 0
1619513306.022269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00544000
success 0 0
1619513306.084269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00545000
success 0 0
1619513306.084269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00546000
success 0 0
1619513306.178269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619513306.287269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00562000
success 0 0
1619513306.287269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056c000
success 0 0
1619513306.287269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00548000
success 0 0
1619513306.287269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00785000
success 0 0
1619513306.303269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00788000
success 0 0
1619513306.334269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619513306.334269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00557000
success 0 0
1619513306.350269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056a000
success 0 0
1619513306.365269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053b000
success 0 0
1619513306.459269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00789000
success 0 0
1619513306.475269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078a000
success 0 0
1619513306.865269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00556000
success 0 0
1619513306.865269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078b000
success 0 0
1619513306.881269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054a000
success 0 0
1619513306.912269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619513306.928269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078c000
success 0 0
1619513307.084269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078d000
success 0 0
1619513307.147269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00549000
success 0 0
1619513307.318269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00575000
success 0 0
1619513307.412269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a1000
success 0 0
1619513307.647269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0078e000
success 0 0
1619513307.647269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00eb0000
success 0 0
1619513307.647269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x05610000
success 0 0
1619513307.647269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05780000
success 0 0
1619513307.647269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05781000
success 0 0
1619513307.678269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05782000
success 0 0
1619513307.693269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05783000
success 0 0
1619513307.693269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05784000
success 0 0
1619513307.709269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05785000
success 0 0
1619513307.709269
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05786000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\urZsqZHsklS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp628D.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\urZsqZHsklS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp628D.tmp"
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619513308.662269
ShellExecuteExW
parameters: /Create /TN "Updates\urZsqZHsklS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp628D.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
1619525652.947126
CreateProcessInternalW
thread_identifier: 2528
thread_handle: 0x000003bc
process_identifier: 2436
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000003c8
inherit_handles: 1
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619525641.682126
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\597e4ec93987eb13f905a15f11530e3c.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpG665.tmp
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\\tmpG665.tmp
flags: 8
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\597e4ec93987eb13f905a15f11530e3c.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.8379000947999815 section {'size_of_data': '0x0006ec00', 'virtual_address': '0x00002000', 'entropy': 7.8379000947999815, 'name': '.text', 'virtual_size': '0x0006eb04'} description A section with a high entropy has been found
entropy 0.9955056179775281 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619513311.584269
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619525612.869126
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619525624.119126
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2424
process_handle: 0x0000021c
failed 0 0
1619525624.119126
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2424
process_handle: 0x0000021c
success 0 0
Uses Windows utilities for basic Windows functionality (3 个事件)
cmdline schtasks.exe /Create /TN "Updates\urZsqZHsklS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp628D.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\urZsqZHsklS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp628D.tmp"
cmdline "netsh" wlan show profile
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619513311.209269
NtAllocateVirtualMemory
process_identifier: 284
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003ac
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619525636.182126
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 597e4ec93987eb13f905a15f11530e3c.exe tried to sleep 2728265 seconds, actually delayed analysis time by 2728265 seconds
Harvests credentials from local FTP client softwares (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619513311.209269
WriteProcessMemory
process_identifier: 284
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELD™^à ˆÞ§ À@ @…§KÀðà  H.textä‡ ˆ `.rsrcðÀŠ@@.reloc àŽ@B
process_handle: 0x000003ac
base_address: 0x00400000
success 1 0
1619513311.225269
WriteProcessMemory
process_identifier: 284
buffer: €0€HXÀ””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNamecnoGJBJlpxgZgjPUphNvLsQDrtE.exe(LegalCopyright h OriginalFilenamecnoGJBJlpxgZgjPUphNvLsQDrtE.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000003ac
base_address: 0x0044c000
success 1 0
1619513311.225269
WriteProcessMemory
process_identifier: 284
buffer:   à7
process_handle: 0x000003ac
base_address: 0x0044e000
success 1 0
1619513311.225269
WriteProcessMemory
process_identifier: 284
buffer: @
process_handle: 0x000003ac
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619513311.209269
WriteProcessMemory
process_identifier: 284
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELD™^à ˆÞ§ À@ @…§KÀðà  H.textä‡ ˆ `.rsrcðÀŠ@@.reloc àŽ@B
process_handle: 0x000003ac
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2424 called NtSetContextThread to modify thread in remote process 284
Time & API Arguments Status Return Repeated
1619513311.225269
NtSetContextThread
thread_handle: 0x00000358
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4499422
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 284
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2424 resumed a thread in remote process 284
Time & API Arguments Status Return Repeated
1619513311.553269
NtResumeThread
thread_handle: 0x00000358
suspend_count: 1
process_identifier: 284
success 0 0
Executed a process and injected code into it, probably while unpacking (25 个事件)
Time & API Arguments Status Return Repeated
1619513304.897269
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2424
success 0 0
1619513304.912269
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2424
success 0 0
1619513308.084269
NtResumeThread
thread_handle: 0x00000280
suspend_count: 1
process_identifier: 2424
success 0 0
1619513308.662269
CreateProcessInternalW
thread_identifier: 2740
thread_handle: 0x00000364
process_identifier: 2996
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\urZsqZHsklS" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp628D.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000039c
inherit_handles: 0
success 1 0
1619513311.209269
CreateProcessInternalW
thread_identifier: 2772
thread_handle: 0x00000358
process_identifier: 284
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\597e4ec93987eb13f905a15f11530e3c.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\597e4ec93987eb13f905a15f11530e3c.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003ac
inherit_handles: 0
success 1 0
1619513311.209269
NtGetContextThread
thread_handle: 0x00000358
success 0 0
1619513311.209269
NtAllocateVirtualMemory
process_identifier: 284
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003ac
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619513311.209269
WriteProcessMemory
process_identifier: 284
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELD™^à ˆÞ§ À@ @…§KÀðà  H.textä‡ ˆ `.rsrcðÀŠ@@.reloc àŽ@B
process_handle: 0x000003ac
base_address: 0x00400000
success 1 0
1619513311.225269
WriteProcessMemory
process_identifier: 284
buffer:
process_handle: 0x000003ac
base_address: 0x00402000
success 1 0
1619513311.225269
WriteProcessMemory
process_identifier: 284
buffer: €0€HXÀ””4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°ôStringFileInfoÐ000004b0,FileDescription 0FileVersion0.0.0.0` InternalNamecnoGJBJlpxgZgjPUphNvLsQDrtE.exe(LegalCopyright h OriginalFilenamecnoGJBJlpxgZgjPUphNvLsQDrtE.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000003ac
base_address: 0x0044c000
success 1 0
1619513311.225269
WriteProcessMemory
process_identifier: 284
buffer:   à7
process_handle: 0x000003ac
base_address: 0x0044e000
success 1 0
1619513311.225269
WriteProcessMemory
process_identifier: 284
buffer: @
process_handle: 0x000003ac
base_address: 0x7efde008
success 1 0
1619513311.225269
NtSetContextThread
thread_handle: 0x00000358
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4499422
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 284
success 0 0
1619513311.553269
NtResumeThread
thread_handle: 0x00000358
suspend_count: 1
process_identifier: 284
success 0 0
1619513311.553269
NtResumeThread
thread_handle: 0x000003c0
suspend_count: 1
process_identifier: 2424
success 0 0
1619525611.994126
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 284
success 0 0
1619525612.072126
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 284
success 0 0
1619525626.119126
NtResumeThread
thread_handle: 0x000002c4
suspend_count: 1
process_identifier: 284
success 0 0
1619525626.135126
NtResumeThread
thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 284
success 0 0
1619525633.650126
NtResumeThread
thread_handle: 0x0000035c
suspend_count: 1
process_identifier: 284
success 0 0
1619525633.650126
NtResumeThread
thread_handle: 0x00000370
suspend_count: 1
process_identifier: 284
success 0 0
1619525634.682126
NtResumeThread
thread_handle: 0x000003b0
suspend_count: 1
process_identifier: 284
success 0 0
1619525635.682126
NtResumeThread
thread_handle: 0x000003b4
suspend_count: 1
process_identifier: 284
success 0 0
1619525652.947126
CreateProcessInternalW
thread_identifier: 2528
thread_handle: 0x000003bc
process_identifier: 2436
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000003c8
inherit_handles: 1
success 1 0
1619525654.010251
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2436
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43065273
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.GenericKD.43065273
Cylance Unsafe
K7AntiVirus Trojan ( 00565b091 )
Alibaba Trojan:MSIL/Kryptik.55fc2a4c
K7GW Trojan ( 00565b091 )
Cybereason malicious.93987e
Arcabit Trojan.Generic.D2911FB9
Cyren W32/MSIL_Kryptik.AXD.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packed.Nanocore-7758947-0
Kaspersky HEUR:Trojan.MSIL.RRAT.gen
BitDefender Trojan.GenericKD.43065273
NANO-Antivirus Trojan.Win32.Kryptik.hjolpl
Paloalto generic.ml
AegisLab Trojan.Multi.Generic.4!c
Tencent Msil.Trojan.Rrat.Swve
Ad-Aware Trojan.GenericKD.43065273
Sophos Mal/Generic-R + Troj/Steale-VK
Comodo Malware@#2z8o9cpciceom
F-Secure Trojan.TR/AD.AgentTesla.yhiep
DrWeb Trojan.Siggen9.43657
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0PI220
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
FireEye Generic.mg.597e4ec93987eb13
Emsisoft Trojan.GenericKD.43065273 (B)
Ikarus Trojan.MSIL.Krypt
Webroot W32.Trojan.Gen
Avira TR/AD.AgentTesla.yhiep
eGambit Unsafe.AI_Score_100%
MAX malware (ai score=87)
Antiy-AVL Trojan/MSIL.RRAT
Gridinsoft Trojan.Win32.Downloader.dd!n
Microsoft Trojan:Win32/Skeeyah.A!rfn
ZoneAlarm HEUR:Trojan.MSIL.RRAT.gen
GData Trojan.GenericKD.43065273
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.C4098711
McAfee Artemis!597E4EC93987
VBA32 CIL.HeapOverride.Heur
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.VQY
TrendMicro-HouseCall TROJ_GEN.R06EC0PI220
Yandex Trojan.Igent.bTD180.13
SentinelOne Static AI - Malicious PE
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-29 11:54:36

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.