SmartHawk

19.4

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

b4e2901318556e7690d7fa71c50176f567087352969042efaab796da6a35106d

613ab8974fb8ed645e8043f35f109265.exe

分析耗时

130s

最近分析

文件大小

311.0KB

静态报毒动态报毒 AI SCORE=80 ALI2000016 ATTRIBUTE AVSARHER BSK66A CGAWW CONFIDENCE HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE HIOAMW INJECT3 KRYPTIK MALICIOUS PE MALWARE@#37T2Q3RUT7HKI OCCAMY PHOBOS PHOBOSRANSOM QVM03 R06EC0PI220 RANSOMX REMCOS SCORE STATIC AI TM0@AEU UNSAFE URSU WLFM YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Kryptik.ali2000016	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:RansomX-gen [Ransom]	20201229	21.1.5827.0
Kingsoft		20201229	2017.9.26.565
McAfee	Packed-GAR!613AB8974FB8	20201229	6.0.6.653
Tencent	Msil.Trojan.Crypt.Wlfm	20201229	1.0.0.1
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (7 个事件)

Time & API	Arguments	Status	Return
1619538009.2095 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619538017.7415 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619537629.557396 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619537638.401396 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619537638.948396 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619537639.323396 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619537639.338396 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (5 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513307.36125 IsDebuggerPresent		failed	0	0
1619513309.48625 IsDebuggerPresent		failed	0	0
1619513309.95525 IsDebuggerPresent		failed	0	0
1619538009.3975 IsDebuggerPresent		failed	0	0
1619537638.073396 IsDebuggerPresent		failed	0	0

Tries to locate where the browsers are installed (1 个事件)

file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libGLESv2.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513309.11125 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 66 个事件)

Time & API	Arguments	Status	Return
1619513306.37725 NtAllocateVirtualMemory	process_identifier: 732 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00230000	success	0
1619513306.37725 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00280000	success	0
1619513307.15825 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success	0
1619513307.36125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fa000	success	0
1619513307.36125 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success	0
1619513307.36125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f2000	success	0
1619513307.68925 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00402000	success	0
1619513307.87725 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00403000	success	0
1619513307.90825 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043b000	success	0
1619513307.90825 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00437000	success	0
1619513307.92425 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0040c000	success	0
1619513307.97125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00640000	success	0
1619513308.28325 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00404000	success	0
1619513308.28325 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00405000	success	0
1619513308.33025 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00406000	success	0
1619513308.40825 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0041a000	success	0
1619513308.40825 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00417000	success	0
1619513308.40825 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042a000	success	0
1619513308.43925 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fb000	success	0
1619513308.48625 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00407000	success	0
1619513308.72125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00416000	success	0
1619513308.79925 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00641000	success	0
1619513308.84625 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00422000	success	0
1619513308.87725 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00435000	success	0
1619513308.95525 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00281000	success	0
1619513309.01725 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success	0
1619513309.09625 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00408000	success	0
1619513309.09625 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00409000	success	0
1619513309.11125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00642000	success	0
1619513309.11125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00643000	success	0
1619513309.11125 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00644000	success	0
1619513309.12725 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00645000	success	0
1619513309.12725 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00646000	success	0
1619513309.15825 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00647000	success	0
1619513309.18925 NtAllocateVirtualMemory	process_identifier: 732 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00648000	success	0
1619513309.25225 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004f0000	success	0
1619513309.26725 NtAllocateVirtualMemory	process_identifier: 732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0040a000	success	0
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02100178	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x021001a0	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x021001c8	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0212846e	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02128462	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02100208	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02119360	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02119380	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02119388	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0211938c	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02119394	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02119398	failed	3221225550
1619513309.26725 NtProtectVirtualMemory	process_identifier: 732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0211939c	failed	3221225550

A process attempted to delay the analysis task. (1 个事件)

description

613ab8974fb8ed645e8043f35f109265.exe tried to sleep 208 seconds, actually delayed analysis time by 208 seconds

Steals private information from local Internet browsers (16 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db.id[38C63B41-2275].[helprecover@foxmail.com].help
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6072F047-6D8.pma.id[38C63B41-2275].[helprecover@foxmail.com].help
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.id[38C63B41-2275].[helprecover@foxmail.com].help
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6072F20C-274.pma.id[38C63B41-2275].[helprecover@foxmail.com].help
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.id[38C63B41-2275].[helprecover@foxmail.com].help
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6072F20C-274.pma
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6072F217-D54.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db-journal
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.id[38C63B41-2275].[helprecover@foxmail.com].help
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal
file	UNC\OSKAR-PC\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6072F047-6D8.pma

Creates executable files on the filesystem (50 out of 189 个事件)

file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_pl.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ko.dll
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ta.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_hr.dll
file	C:\Python27\DLLs\tcl85.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_de.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ro.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libEGL.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\IDLE (Python GUI).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
file	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxSVGA.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_fa.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_lv.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ar.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_cs.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ur.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleCrashHandler64.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_sr.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_hi.dll
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_kn.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Minesweeper.lnk
file	C:\Program Files (x86)\Google\Update\1.3.36.72\psuser_64.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_th.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_is.dll
file	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_mr.dll
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Internet Spades.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk
file	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_zh-TW.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_fr.dll
file	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_hu.dll

Creates a shortcut to an executable file (50 out of 80 个事件)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python Manuals.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Module Docs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Information.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\NetworkProjection.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Speech Recognition.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\More Games from Microsoft.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Task Scheduler.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Hearts.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Create Recovery Disc.lnk
file	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
file	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Chess.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\IDLE (Python GUI).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Solitaire.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Purble Place.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Python (command line).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\GameExplorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Minesweeper.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7\Uninstall Python.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
file	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk

Creates a suspicious process (2 个事件)

cmdline	C:\Windows\System32\cmd.exe
cmdline	wmic shadowcopy delete

Executes one or more WMI queries (1 个事件)

wmi	SELECT * FROM Win32_ShadowCopy

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 个事件)

Time & API	Arguments	Status	Return
1619538009.2255 Process32NextW	process_name: cmd.exe snapshot_handle: 0x00000168 process_identifier: 3188	success	1
1619538010.3035 Process32NextW	process_name: conhost.exe snapshot_handle: 0x00000228 process_identifier: 3260	success	1
1619538012.3975 Process32NextW	process_name: vssadmin.exe snapshot_handle: 0x00000230 process_identifier: 3300	success	1
1619538012.3975 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x00000230 process_identifier: 3308	success	1
1619538013.6945 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x00000208 process_identifier: 3328	success	1
1619538017.9595 Process32NextW	process_name: VSSVC.exe snapshot_handle: 0x00000284 process_identifier: 3400	success	1
1619538021.0535 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000001f8 process_identifier: 3472	success	1
1619538050.0845 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x00000270 process_identifier: 3876	success	1
1619538050.7095 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x00000230 process_identifier: 3892	success	1
1619538061.3195 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x00000310 process_identifier: 3948	success	1
1619538070.9595 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x0000023c process_identifier: 4060	success	1
1619538087.0065 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x000000e0 process_identifier: 3152	success	1

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.190271667273549

section

{'size_of_data': '0x0004d200', 'virtual_address': '0x00002000', 'entropy': 7.190271667273549, 'name': '.text', 'virtual_size': '0x0004d064'}

description

A section with a high entropy has been found

entropy

0.9935587761674718

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 个事件)

Time & API	Arguments	Status	Return
1619513309.33025 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619538009.1625 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619537586.665771 LookupPrivilegeValueW	system_name: privilege_name: SeBackupPrivilege	success	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 117 个事件)

Time & API	Arguments	Status
1619538010.3035 Process32NextW	process_name: conhost.exe snapshot_handle: 0x00000228 process_identifier: 3260	failed
1619538011.6945 Process32NextW	process_name: conhost.exe snapshot_handle: 0x00000274 process_identifier: 3260	failed
1619538012.3975 Process32NextW	process_name: is32bit.exe snapshot_handle: 0x00000230 process_identifier: 3308	failed
1619538013.6945 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x00000208 process_identifier: 3328	failed
1619538014.4285 Process32NextW	process_name: vssadmin.exe snapshot_handle: 0x00000204 process_identifier: 3300	failed
1619538015.5695 Process32NextW	process_name: vssadmin.exe snapshot_handle: 0x00000264 process_identifier: 3300	failed
1619538016.2255 Process32NextW	process_name: vssadmin.exe snapshot_handle: 0x00000274 process_identifier: 3300	failed
1619538016.8665 Process32NextW	process_name: vssadmin.exe snapshot_handle: 0x00000278 process_identifier: 3300	failed
1619538017.3815 Process32NextW	process_name: vssadmin.exe snapshot_handle: 0x00000208 process_identifier: 3300	failed
1619538017.9595 Process32NextW	process_name: VSSVC.exe snapshot_handle: 0x00000284 process_identifier: 3400	failed
1619538018.4755 Process32NextW	process_name: VSSVC.exe snapshot_handle: 0x00000284 process_identifier: 3400	failed
1619538019.1165 Process32NextW	process_name: VSSVC.exe snapshot_handle: 0x00000298 process_identifier: 3400	failed
1619538019.7725 Process32NextW	process_name: VSSVC.exe snapshot_handle: 0x000002cc process_identifier: 3400	failed
1619538020.3975 Process32NextW	process_name: VSSVC.exe snapshot_handle: 0x000002a8 process_identifier: 3400	failed
1619538021.0535 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000001f8 process_identifier: 3472	failed
1619538021.6315 Process32NextW	process_name: svchost.exe snapshot_handle: 0x0000028c process_identifier: 3472	failed
1619538022.2565 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002d0 process_identifier: 3472	failed
1619538022.9285 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002d8 process_identifier: 3472	failed
1619538023.7095 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002d8 process_identifier: 3472	failed
1619538024.4755 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002f0 process_identifier: 3472	failed
1619538025.0535 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002f0 process_identifier: 3472	failed
1619538025.7875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002f0 process_identifier: 3472	failed
1619538026.3665 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000308 process_identifier: 3472	failed
1619538027.0065 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002ec process_identifier: 3472	failed
1619538027.6945 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002ec process_identifier: 3472	failed
1619538028.5375 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000001b0 process_identifier: 3472	failed
1619538029.1625 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000264 process_identifier: 3472	failed
1619538029.7415 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000002cc process_identifier: 3472	failed
1619538030.2875 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000300 process_identifier: 3472	failed
1619538030.8815 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000270 process_identifier: 3472	failed
1619538031.5695 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000001fc process_identifier: 3472	failed
1619538032.3505 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000001f0 process_identifier: 3472	failed
1619538033.3505 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x000001a8 process_identifier: 3676	failed
1619538034.1165 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x000001f0 process_identifier: 3676	failed
1619538034.9445 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x000001f0 process_identifier: 3676	failed
1619538035.5695 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000001a8 process_identifier: 3732	failed
1619538036.3195 Process32NextW	process_name: dllhost.exe snapshot_handle: 0x000001b4 process_identifier: 3752	failed
1619538037.0535 Process32NextW	process_name: dllhost.exe snapshot_handle: 0x000001b4 process_identifier: 3752	failed
1619538037.8345 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x000001b4 process_identifier: 3816	failed
1619538038.3665 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x000001b8 process_identifier: 3816	failed
1619538039.0065 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x00000204 process_identifier: 3816	failed
1619538039.7255 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x000001a8 process_identifier: 3816	failed
1619538040.3815 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x00000204 process_identifier: 3816	failed
1619538041.2565 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x00000204 process_identifier: 3816	failed
1619538041.7875 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x000001b4 process_identifier: 3816	failed
1619538042.3815 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x000001b8 process_identifier: 3816	failed
1619538043.0695 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x000001b8 process_identifier: 3816	failed
1619538043.6005 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x00000204 process_identifier: 3816	failed
1619538044.2415 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x00000290 process_identifier: 3816	failed
1619538045.0225 Process32NextW	process_name: WerFault.exe snapshot_handle: 0x000001b4 process_identifier: 3816	failed

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

wmic shadowcopy delete

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513309.68925 NtAllocateVirtualMemory	process_identifier: 2520 region_size: 77824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000298 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Installs itself for autorun at Windows startup (4 个事件)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\613ab8974fb8ed645e8043f35f109265	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Local\613ab8974fb8ed645e8043f35f109265.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\613ab8974fb8ed645e8043f35f109265	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Local\613ab8974fb8ed645e8043f35f109265.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[38C63B41-2275].[helprecover@foxmail.com].help
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)

file	C:\Python27\agent.pyw

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619513309.68925 WriteProcessMemory	process_identifier: 2520 buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $n»¹Ú×AÚ×AÚ×A#¢TA+Ú×A#¢DA9Ú×AÚÖAEÚ×A1GIA+Ú×A1G}A+Ú×A1GyA8Ú×A1GJA+Ú×ARich*Ú×APEL£R,^à >. @0U@4¤Èà à.texth `.rdata\| @@.data¹&°@À.relocÞà @B.cdataÈ<ð>¦@À process_handle: 0x00000298 base_address: 0x00400000	success	1
1619513309.68925 WriteProcessMemory	process_identifier: 2520 buffer: 0w,aîºQ Ämôjp5¥cé£d2Û¤¸ÜyéÕàÙÒ+L¶ ½\|±~-¸ç¿d·ò °jHq¹óÞA¾}ÔÚëäÝmQµÔôÇÓVlÀ¨kdzùbýìÉeO\Ùlcc=úõ È n;^iLäA`Õrqg¢Ñä<GÔKý Òkµ ¥ú¨µ5l²BÖÉ»Û@ù¼¬ãlØ2u\ßEÏ ÖÜY=Ñ«¬0Ù&:ÞQQ×ÈaÐ¿µô´!#Ä³VºÏ¥½¸¸(_²ÙÆ$é±\|o/LhX«aÁ=-f¶AÜvqÛ¼ ÒÕï±qµ¶¥ä¿3Ô¸è¢Éx4ù¨ á» j-=mld\cæôQkkbalØ0eNbòíl{¥ÁôWÄõÆÙ°ePé·ê¸¾\|¹üßÝbI-Úó\|ÓeLÔûXa²MÎQµ:t¼£â0»ÔA¥ßJ×Ø=mÄÑ¤ûôÖÓjéiCüÙn4FgÐ¸`Ús-Då3_L ªÉ\| Ý<qPªA'¾ É%µhW³o Ôf¹äaÎùÞ^ÉÙ)"Ð°´¨×Ç=³Y ´.;\½·lºÀ ¸í¶³¿â¶Ò±t9GÕê¯wÒ&ÛÜscã;d>jm ¨ZjzÏäÿ '® ±}DðÒ£hòþÂi]Wb÷Ëgeq6lçknvÔþà+ÓZzÚÌJÝgoß¹ùùï¾C¾·Õ°`è£ÖÖ~Ñ¡ÄÂØ8RòßOñg»ÑgW¼¦Ýµ?K6²HÚ+ ØL ¯öJ6`zAÃï`ßUßg¨ïn1y¾iF³aËf¼ Òo%6âhRwÌG»¹"/&U¾;ºÅ(½²Z´+j³\§ÿ×Â1ÏÐµÙ,®Þ[°Âd&òcì£ju m© ?6ëgrWJ¿z¸â®+±{8¶Ò ¾Õå·ïÜ\|!ßÛÔÒÓBâÔñø³ÝhnÚÍ¾[&¹öáw°owG·æZpjÿÊ;f\ÿei®bøÓÿkaEÏlxâ îÒ ×TNÂ³9a&g§÷`ÐMGiIÛwn>JjÑ®ÜZÖÙfß@ð;Ø7S®¼©Å»ÞÏ²Géÿµ0ò½½ÂºÊ0³S¦£´$6Ðº×Í)WÞT¿gÙ#.zf³¸JaÄh]+o7¾´¡ÃßZï-ð£@Ü£@ø;È<N»©ý^Ï¦9ÁïÞ SUP275Ðæ process_handle: 0x00000298 base_address: 0x0040b000	success	1
1619513309.68925 WriteProcessMemory	process_identifier: 2520 buffer: H0i0t01õ23/3Ü3ý3m6ã7{990:d:>;m;Ê;æ;,<¼<_=\|=7>s>Ü>???W?Å?ò? \|0³0Î01Q2ñ2þ2 3=3K3S3k3333¤3ñ3¨5i66¦6î67)7ñ78ü89@9P9[9o999:L;{;<F<N<~<©<Ô<ð< =8==§=¾=Õ=>> >'>r>\|>>>01¡1©1 2J2º2Ã2Ù2H3Q333¨3²3Ì3 4/46¯6·6á67m77²7à78"8n88839O9h99¡9H:p:C;;¹;Â;Ö;Ü;ð;÷;<<{<<Ä<Ë<Ý<==1=G=N=l==È=n>w>Õ>â>?l?ó?@60=0u00Å0Ð1n2z22¤2>3E3T3¢3À3û34"4+5=5D5Ð5&69666é67÷78@89D9`9g99¡9´9Ì9í9ô:0;¢;Ã;Ï;æ;q<y<<< <ï<'=-=W=e=}=Å=Ì= >>+>E>>>¤>1?t?Ê?Û?ñ?Pp00k000¸0Ò0N1`1Ñ1ì12!2j2v222È2Ý2å23"3s444º466K6z66¡6À7È7!8@8I8Y8`8V9º9ï9<< =r== =³=Ý>F?Q?`/23¨3°3·3 44"4S4]4g4q4x4¥4Ò4ÿ4:5F5P5Z5z55û566$626^6i6y66Ï6Ø6è6ø67P7Y7i7y77^8i8p8w88888¡9¨9µ9Á9Ð9×9ä9ð9::!:-:H:Q:^:l::::¨:Ã:Ì:Ø:ä:þ:;; ;9;@;M;Y;;;¥;±;À;É;Ö;â;ý;<<<:<C<P<\<q<}<<¡<»<Ç<Û<ì<==&=7=T=^=j==É>Ð>Ý>è>? ??#?2?>?K?W?r?{???¯?¸?Ä?Ð?í?ô?p00&0/0<0H0c0l0y00¥0±0¾0É0ç0ñ0þ0 11%121>1\1e1r1~111³1Ç1Ù1î1ÿ12$292I2Z2k2{22 2y6Á6È6Ï6Õ6á6ç6ð6ù6ÿ67777)727;7J7S7^7h7o7z777¦7Â7p¤2R4]4h4s4~4444Æ4º5ò5É6ì6727b778<889e99¹9þ9:R:¿:ä:©;Ç;=/=E=d=t==®=Ä=Ó=ñ=þ=r>#?*?B?I?i?p?}??Í3×3Ý3í3°44 process_handle: 0x00000298 base_address: 0x0040e000	success	1
1619513309.68925 WriteProcessMemory	process_identifier: 2520 buffer: @ process_handle: 0x00000298 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513309.68925 WriteProcessMemory	process_identifier: 2520 buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $n»¹Ú×AÚ×AÚ×A#¢TA+Ú×A#¢DA9Ú×AÚÖAEÚ×A1GIA+Ú×A1G}A+Ú×A1GyA8Ú×A1GJA+Ú×ARich*Ú×APEL£R,^à >. @0U@4¤Èà à.texth `.rdata\| @@.data¹&°@À.relocÞà @B.cdataÈ<ð>¦@À process_handle: 0x00000298 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 called NtSetContextThread to modify thread in remote process 2520
1619513309.68925 NtSetContextThread	thread_handle: 0x00000294 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4206228 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2520	success	0	0

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 730 个事件)

file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.732.25287390
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.732.25287421
file	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.732.25287390
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
file	C:\Python27\Lib\collections.pyc
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk
file	C:\Python27\Lib\ctypes\test\test_callbacks.py
file	C:\Python27\Lib\ctypes\test\test_win32.py
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ta.dll
file	C:\Python27\Lib\curses\panel.py
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ro.dll
file	C:\Python27\Lib\copy_reg.pyc
file	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\Python27\Lib\bsddb\test\test_thread.py
file	C:\Python27\include\pythonrun.h
file	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file	C:\Python27\Lib\bisect.pyc
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak
file	C:\Python27\include\dtoa.h
file	C:\Program Files (x86)\Google\Update\1.3.36.72\psmachine.dll
file	C:\Python27\Lib\antigravity.py
file	C:\Python27\Lib\chunk.py
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_lv.dll
file	C:\Python27\include\bufferobject.h
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_ar.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_cs.dll
file	C:\Python27\Lib\ctypes\test\test_struct_fields.py
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Remote Assistance.lnk
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_sr.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_hi.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\goopdateres_kn.dll
file	C:\Program Files (x86)\Google\Update\1.3.36.72\psuser_64.dll
file	C:\Users\Oskar\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
file	C:\Python27\Lib\codeop.py
file	C:\Python27\Lib\distutils\command\bdist.py
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Python27\Lib\ctypes\test\test_buffers.py
file	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs
file	C:\Python27\Lib\cookielib.py
file	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk
file	C:\Python27\Lib\Bastion.py
file	C:\Python27\Lib\dbhash.py
file	C:\Python27\include\tupleobject.h
file	C:\Python27\Lib\commands.py
file	C:\Python27\include\sliceobject.h
file	C:\Python27\Lib\compiler\future.py

Removes the Shadow Copy to avoid recovery of the system (2 个事件)

cmdline	vssadmin delete shadows /all /quiet
cmdline	wmic shadowcopy delete

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 732 resumed a thread in remote process 2520
1619513309.93925 NtResumeThread	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2520	success	0	0

Uses suspicious command line tools or Windows utilities (1 个事件)

cmdline

vssadmin delete shadows /all /quiet

Detects VirtualBox through the presence of a device (2 个事件)

file	\??\VBoxGuest
file	\??\VBoxMiniRdrDN

Detects VirtualBox through the presence of a file (10 个事件)

file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDisp.dll
dll	C:\Windows\system32\VBoxMRXNP.dll
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxControl.exe.id[38C63B41-2275].[helprecover@foxmail.com].help
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxTray.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.sys
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.sys.id[38C63B41-2275].[helprecover@foxmail.com].help
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.inf
file	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe.id[38C63B41-2275].[helprecover@foxmail.com].help

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-12 01:36:08

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49185	192.168.56.1	139
192.168.56.101	49191	192.168.56.1	139
192.168.56.101	49196	192.168.56.1	139

UDP

Source	Source Port	Destination	Destination Port
192.168.56.1	137	192.168.56.101	137
192.168.56.1	138	192.168.56.101	138
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.