SmartHawk

12.8

0-day

48 个模型检测该样本为恶意！

重新分析

下载样本

fb0f4fec3977dcda5ea563119dedd6211d18d67bb6665e008a67e55ab656865e

7604c1c1eac76a1604bd1709cb6cc242.exe

分析耗时

79s

最近分析

文件大小

601.5KB

静态报毒动态报毒 AGENTTESLA AI SCORE=84 ATTRIBUTE BTYXWJ CONFIDENCE ELDORADO GDSDA GENERICKDZ GENERICRXKF HIGH CONFIDENCE HIGHCONFIDENCE IGENT KRYPTIK LLOJI NANOBOT NANOCORE ONIE PWSX R332969 S + TROJ SCORE SIGGEN2 SMTH SUSGEN TSCOPE UNSAFE YAKBEEXMSIL 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	GenericRXKF-EL!7604C1C1EAC7	20201229	6.0.6.653
Alibaba	TrojanSpy:MSIL/AgentTesla.a749b41d	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20201229	21.1.5827.0
Kingsoft		20201229	2017.9.26.565
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619658789.600876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619658791.506876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619658793.022876 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658771.991374 IsDebuggerPresent		failed	0	0
1619658775.366374 IsDebuggerPresent		failed	0	0
1619658775.881374 IsDebuggerPresent		failed	0	0
1619658776.194876 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658774.694374 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (7 个事件)

Time & API	Arguments	Status
1619658793.006876 __exception__	stacktrace: 0x47ef4c5 0x47ee84f CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2027728 registers.edi: 40371580 registers.eax: 0 registers.ebp: 2027772 registers.edx: 158 registers.ebx: 0 registers.esi: 1874689719 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 28 89 45 dc 69 c6 2f d2 17 78 35 d0 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x47ef891	success
1619658818.084876 __exception__	stacktrace: 0x5561919 0x47eef00 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2026032 registers.edi: 2026092 registers.eax: 0 registers.ebp: 2026108 registers.edx: 2026000 registers.ebx: 1177776706 registers.esi: 40848072 registers.ecx: 0 exception.instruction_r: 39 09 e8 8a ef af 6c 89 45 b8 33 d2 89 55 dc 8b exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5565897	success
1619658818.709876 __exception__	stacktrace: 0x5561abd 0x47eef00 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2026040 registers.edi: 40976744 registers.eax: 40981508 registers.ebp: 2026108 registers.edx: 40981508 registers.ebx: 40976820 registers.esi: 0 registers.ecx: 1911774966 exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 93 ac b9 6c exception.instruction: cmp dword ptr [esi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x55694dd	success
1619658822.850876 __exception__	stacktrace: 0x55623a5 0x47eef00 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2025992 registers.edi: 41318252 registers.eax: 0 registers.ebp: 2026108 registers.edx: 2025960 registers.ebx: 0 registers.esi: 1846298221 registers.ecx: 0 exception.instruction_r: 39 09 e8 24 36 7f 6c 83 78 04 00 0f 84 0a 04 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58711fd	success
1619658822.850876 __exception__	stacktrace: 0x5562450 0x47eef00 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2026052 registers.edi: 2026092 registers.eax: 3 registers.ebp: 2026108 registers.edx: 0 registers.ebx: 1177776706 registers.esi: 274204090 registers.ecx: 0 exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 b8 17 e2 67 3e eb exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5871716	success
1619658823.084876 __exception__	stacktrace: 0x47eef00 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2026116 registers.edi: 40581188 registers.eax: 0 registers.ebp: 2027820 registers.edx: 0 registers.ebx: 1177776706 registers.esi: 20022767 registers.ecx: 41367528 exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 e4 f9 ff ff exception.instruction: cmp dword ptr [eax + 8], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x55624bb	success
1619658831.381876 __exception__	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31 IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141 OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db DllRegisterServerInternal+0x3df02 GetPrivateContextsPerfCounters-0x19797 mscorwks+0x94168 @ 0x73fc4168 0x49ba66 system+0x7a24ea @ 0x71aa24ea system+0x7a30b4 @ 0x71aa30b4 system+0x7a2c0a @ 0x71aa2c0a system+0x7a0de4 @ 0x71aa0de4 system+0x79e6da @ 0x71a9e6da system+0x79f065 @ 0x71a9f065 microsoft+0x12fb46 @ 0x7371fb46 0x47ee3a2 system+0x1f84fa @ 0x714f84fa 0x850ebc gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a 0x55f45c4 0x47ef245 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2026412 registers.edi: 5832704 registers.eax: 4294967288 registers.ebp: 2026456 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 5832704 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77da9e58	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 146 个事件)

Time & API	Arguments	Status	Return
1619658770.975374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00850000	success	0
1619658770.975374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009e0000	success	0
1619658771.772374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success	0
1619658772.006374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fa000	success	0
1619658772.006374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success	0
1619658772.006374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f2000	success	0
1619658772.459374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00402000	success	0
1619658772.663374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00403000	success	0
1619658772.694374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0043b000	success	0
1619658772.694374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00437000	success	0
1619658772.756374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0040c000	success	0
1619658773.397374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00404000	success	0
1619658773.397374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00405000	success	0
1619658773.428374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00406000	success	0
1619658773.444374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e0000	success	0
1619658773.538374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0041a000	success	0
1619658773.538374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00417000	success	0
1619658773.538374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042a000	success	0
1619658773.569374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fb000	success	0
1619658773.694374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e1000	success	0
1619658773.741374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00416000	success	0
1619658773.975374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0040a000	success	0
1619658773.975374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca0000	success	0
1619658774.038374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x009e1000	success	0
1619658774.116374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00422000	success	0
1619658774.163374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00435000	success	0
1619658774.319374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00407000	success	0
1619658774.334374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e2000	success	0
1619658774.491374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00ca1000	success	0
1619658774.616374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e3000	success	0
1619658774.756374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00408000	success	0
1619658774.772374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00409000	success	0
1619658774.788374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e4000	success	0
1619658774.788374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e5000	success	0
1619658774.788374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e6000	success	0
1619658774.803374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e7000	success	0
1619658774.803374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e8000	success	0
1619658774.913374 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e9000	success	0
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05550178	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x055501a0	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x055501c8	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0559ea5e	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0559ea52	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05550208	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0558f960	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0558f980	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0558f988	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0558f98c	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0558f994	failed	3221225550
1619658775.038374 NtProtectVirtualMemory	process_identifier: 1632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x0558f998	failed	3221225550

Steals private information from local Internet browsers (7 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658819.038876 CreateProcessInternalW	thread_identifier: 2412 thread_handle: 0x000003e0 process_identifier: 1056 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x000003ec inherit_handles: 1	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

6.945445438873533

section

{'size_of_data': '0x00095a00', 'virtual_address': '0x00002000', 'entropy': 6.945445438873533, 'name': '.text', 'virtual_size': '0x000959f0'}

description

A section with a high entropy has been found

entropy

0.9958402662229617

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658775.116374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619658777.038876 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658788.803876 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1632 process_handle: 0x0000021c	failed	0	0
1619658788.803876 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1632 process_handle: 0x0000021c	success	0	0

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

"netsh" wlan show profile

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658775.600374 NtAllocateVirtualMemory	process_identifier: 520 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002b8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658801.538876 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

7604c1c1eac76a1604bd1709cb6cc242.exe tried to sleep 2728266 seconds, actually delayed analysis time by 2728266 seconds

Harvests credentials from local FTP client softwares (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGñ^à.§ À@ @Ô¦WÀ à H.text4 `.rsrc À@@.relocà@B process_handle: 0x000002b8 base_address: 0x00400000	success	1
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: 0HXÀÄÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x+InternalNameHScMhmYDcWxZgrlohPxMvkQmMHUnLPfCGyCJoE.exe(LegalCopyright +OriginalFilenameHScMhmYDcWxZgrlohPxMvkQmMHUnLPfCGyCJoE.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000002b8 base_address: 0x0044c000	success	1
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: 07 process_handle: 0x000002b8 base_address: 0x0044e000	success	1
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: @ process_handle: 0x000002b8 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGñ^à.§ À@ @Ô¦WÀ à H.text4 `.rsrc À@@.relocà@B process_handle: 0x000002b8 base_address: 0x00400000	success	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619658831.381876 SetWindowsHookExW	thread_identifier: 0 callback_function: 0x008528a2 module_address: 0x00400000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	852207	0

Harvests credentials from local email clients (6 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1632 called NtSetContextThread to modify thread in remote process 520
1619658775.600374 NtSetContextThread	thread_handle: 0x000002b0 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4499246 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 520	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1632 resumed a thread in remote process 520
1619658775.897374 NtResumeThread	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 520	success	0	0

Executed a process and injected code into it, probably while unpacking (24 个事件)

Time & API	Arguments	Status	Return
1619658771.991374 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1632	success	0
1619658772.084374 NtResumeThread	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1632	success	0
1619658775.272374 NtResumeThread	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1632	success	0
1619658775.303374 NtResumeThread	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 1632	success	0
1619658775.584374 CreateProcessInternalW	thread_identifier: 1912 thread_handle: 0x000002b0 process_identifier: 520 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7604c1c1eac76a1604bd1709cb6cc242.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7604c1c1eac76a1604bd1709cb6cc242.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000002b8 inherit_handles: 0	success	1
1619658775.600374 NtGetContextThread	thread_handle: 0x000002b0	success	0
1619658775.600374 NtAllocateVirtualMemory	process_identifier: 520 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002b8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGñ^à.§ À@ @Ô¦WÀ à H.text4 `.rsrc À@@.relocà@B process_handle: 0x000002b8 base_address: 0x00400000	success	1
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: process_handle: 0x000002b8 base_address: 0x00402000	success	1
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: 0HXÀÄÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x+InternalNameHScMhmYDcWxZgrlohPxMvkQmMHUnLPfCGyCJoE.exe(LegalCopyright +OriginalFilenameHScMhmYDcWxZgrlohPxMvkQmMHUnLPfCGyCJoE.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x000002b8 base_address: 0x0044c000	success	1
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: 07 process_handle: 0x000002b8 base_address: 0x0044e000	success	1
1619658775.600374 WriteProcessMemory	process_identifier: 520 buffer: @ process_handle: 0x000002b8 base_address: 0x7efde008	success	1
1619658775.600374 NtSetContextThread	thread_handle: 0x000002b0 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4499246 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 520	success	0
1619658775.897374 NtResumeThread	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 520	success	0
1619658776.194876 NtResumeThread	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 520	success	0
1619658776.241876 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 520	success	0
1619658791.303876 NtResumeThread	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 520	success	0
1619658791.350876 NtResumeThread	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 520	success	0
1619658799.022876 NtResumeThread	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 520	success	0
1619658799.022876 NtResumeThread	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 520	success	0
1619658800.038876 NtResumeThread	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 520	success	0
1619658801.038876 NtResumeThread	thread_handle: 0x000003c4 suspend_count: 1 process_identifier: 520	success	0
1619658819.038876 CreateProcessInternalW	thread_identifier: 2412 thread_handle: 0x000003e0 process_identifier: 1056 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x000003ec inherit_handles: 1	success	1
1619658820.164249 NtResumeThread	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 1056	success	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.66546
FireEye	Generic.mg.7604c1c1eac76a16
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	GenericRXKF-EL!7604C1C1EAC7
Cylance	Unsafe
K7AntiVirus	Trojan ( 005649ca1 )
Alibaba	TrojanSpy:MSIL/AgentTesla.a749b41d
K7GW	Trojan ( 005649ca1 )
Cybereason	malicious.1eac76
Arcabit	Trojan.Generic.D103F2
Cyren	W32/MSIL_Kryptik.ANJ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	Backdoor.MSIL.NANOCORE.SMTH
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.NanoBot.gen
BitDefender	Trojan.GenericKDZ.66546
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKDZ.66546
Sophos	Mal/Generic-S + Troj/MSIL-OJK
F-Secure	Trojan.TR/AD.AgentTesla.lloji
DrWeb	Trojan.PWS.Siggen2.47299
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Backdoor.MSIL.NANOCORE.SMTH
McAfee-GW-Edition	BehavesLike.Win32.Generic.jh
Emsisoft	Trojan.GenericKDZ.66546 (B)
APEX	Malicious
Jiangmin	Trojan.MSIL.onie
MaxSecure	Trojan.Malware.73688781.susgen
Avira	TR/AD.AgentTesla.lloji
MAX	malware (ai score=84)
Microsoft	TrojanSpy:MSIL/AgentTesla!MSR
AegisLab	Trojan.MSIL.NanoBot.4!c
ZoneAlarm	HEUR:Trojan.MSIL.NanoBot.gen
GData	Trojan.GenericKDZ.66546
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.MSIL.R332969
VBA32	TScope.Trojan.MSIL
ALYac	Trojan.GenericKDZ.66546
Malwarebytes	Trojan.Crypt.MSIL.Generic
Ikarus	Trojan.Inject
ESET-NOD32	a variant of MSIL/Kryptik.VLQ
Yandex	Trojan.Igent.bTyXwJ.122
Fortinet	MSIL/NanoBot.VLQ!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_60% (W)
Qihoo-360	Generic/Trojan.BO.573

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-15 22:25:01

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	49238	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.