SmartHawk

10.4

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

f34c4cad829d7f44f730d66e9be8571c4d69b55487e5b7fb00a60ed8094d00ba

8b76bc6ab1cac65762989b0c0525c2d8.exe

分析耗时

86s

最近分析

文件大小

452.0KB

静态报毒动态报毒 100% AGENSLA AGENTTESLA AI SCORE=88 ARTEMIS AUTO CONFIDENCE CU0@A8UA9AD EJGE ELDORADO GDSDA HEAPOVERRIDE HIGH CONFIDENCE INJECT3 KRYPT KRYPTIK MALICIOUS PE MALWARE@#10C3IPFMWVJBH MYNO OCCAMY PWSX QHQQFKOWPNC R06EC0PI220 RXHFK SCORE STATIC AI SUSGEN TROJANPSW UNSAFE WACATAC YAKBEEXMSIL ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!8B76BC6AB1CA	20201229	6.0.6.653
Alibaba	TrojanPSW:MSIL/Agensla.fb08c9d8	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:PWSX-gen [Trj]	20201229	21.1.5827.0
Tencent	Win32.Trojan.Inject.Auto	20201229	1.0.0.1
Kingsoft		20201229	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (7 个事件)

Time & API	Arguments	Status	Return
1619703484.418751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619703484.511751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619703484.527751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619703484.574751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619703489.730751 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619703489.730751 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619703507.543626 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619703476.074124 IsDebuggerPresent		failed	0	0
1619703476.074124 IsDebuggerPresent		failed	0	0
1619703485.183751 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619703508.449626 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\gFZvCnoxH"。 console_handle: 0x00000007	success	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)

Time & API	Arguments	Status	Return
1619703486.761751 CryptExportKey	crypto_handle: 0x007180f0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703487.964751 CryptExportKey	crypto_handle: 0x00717fb0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703487.964751 CryptExportKey	crypto_handle: 0x00717fb0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703487.964751 CryptExportKey	crypto_handle: 0x00717fb0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.105751 CryptExportKey	crypto_handle: 0x00717fb0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.105751 CryptExportKey	crypto_handle: 0x00717fb0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.105751 CryptExportKey	crypto_handle: 0x00717fb0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.168751 CryptExportKey	crypto_handle: 0x00717fb0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.183751 CryptExportKey	crypto_handle: 0x007174f0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.199751 CryptExportKey	crypto_handle: 0x007174f0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.230751 CryptExportKey	crypto_handle: 0x007174f0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.230751 CryptExportKey	crypto_handle: 0x007174f0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.230751 CryptExportKey	crypto_handle: 0x007174f0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.230751 CryptExportKey	crypto_handle: 0x007174f0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.605751 CryptExportKey	crypto_handle: 0x00717a30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.621751 CryptExportKey	crypto_handle: 0x00717a30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.621751 CryptExportKey	crypto_handle: 0x00717a30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.636751 CryptExportKey	crypto_handle: 0x00717a30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.636751 CryptExportKey	crypto_handle: 0x00717a30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.636751 CryptExportKey	crypto_handle: 0x00717a30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703488.683751 CryptExportKey	crypto_handle: 0x00717a30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.261751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.261751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.261751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.277751 CryptExportKey	crypto_handle: 0x00717930 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.277751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.277751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.277751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.277751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.277751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.293751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.293751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.418751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.418751 CryptExportKey	crypto_handle: 0x00717df0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.527751 CryptExportKey	crypto_handle: 0x00717d30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.527751 CryptExportKey	crypto_handle: 0x00717d30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.527751 CryptExportKey	crypto_handle: 0x00717d30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.543751 CryptExportKey	crypto_handle: 0x00717d30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.543751 CryptExportKey	crypto_handle: 0x00717d30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.543751 CryptExportKey	crypto_handle: 0x00717d30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.574751 CryptExportKey	crypto_handle: 0x00717d30 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.636751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.636751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.808751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.808751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.808751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.808751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.808751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.824751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619703489.824751 CryptExportKey	crypto_handle: 0x007173b0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619703476.105124 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	Pd\x1aoU-<\x08
section

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 208 个事件)

Time & API	Arguments	Status
1619703475.668124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00450000	success
1619703475.668124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00500000	success
1619703475.871124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02300000	success
1619703475.871124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x024e0000	success
1619703475.933124 NtProtectVirtualMemory	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619703476.074124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02520000	success
1619703476.074124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x026d0000	success
1619703476.074124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003aa000	success
1619703476.074124 NtProtectVirtualMemory	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619703476.074124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a2000	success
1619703476.339124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b2000	success
1619703476.480124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00455000	success
1619703476.480124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0045b000	success
1619703476.480124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00457000	success
1619703476.621124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b3000	success
1619703476.683124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003bc000	success
1619703476.777124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d0000	success
1619703476.996124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b4000	success
1619703477.058124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d1000	success
1619703477.183124 NtProtectVirtualMemory	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003d2000	success
1619703477.652124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d2000	success
1619703477.668124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b5000	success
1619703477.668124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d3000	success
1619703477.668124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d4000	success
1619703477.839124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d5000	success
1619703477.918124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d6000	success
1619703478.511124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b6000	success
1619703478.636124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b8000	success
1619703478.824124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ca000	success
1619703478.824124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c7000	success
1619703479.011124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003b9000	success
1619703479.027124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00660000	success
1619703479.043124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d7000	success
1619703479.058124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006da000	success
1619703479.339124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003c6000	success
1619703479.339124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006db000	success
1619703479.418124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00661000	success
1619703479.683124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006dc000	success
1619703479.730124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00662000	success
1619703479.871124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x024e1000	success
1619703480.214124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00663000	success
1619703480.214124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006dd000	success
1619703480.308124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00664000	success
1619703480.324124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003bd000	success
1619703480.339124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02160000	success
1619703480.339124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02161000	success
1619703480.355124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02163000	success
1619703480.355124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00665000	success
1619703480.386124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x026d1000	success
1619703480.402124 NtAllocateVirtualMemory	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x026d2000	success

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 个事件)

cmdline	schtasks.exe /Create /TN "Updates\gFZvCnoxH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD02C.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFZvCnoxH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD02C.tmp"
cmdline	"powershell" Get-MpPreference -verbose

A process created a hidden window (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619703481.058124 CreateProcessInternalW	thread_identifier: 2856 thread_handle: 0x0000749c process_identifier: 2456 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x0000021c inherit_handles: 1	success	1	0
1619703507.058124 ShellExecuteExW	parameters: /Create /TN "Updates\gFZvCnoxH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD02C.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)

entropy

7.996680997240148

section

{'size_of_data': '0x0000e600', 'virtual_address': '0x00002000', 'entropy': 7.996680997240148, 'name': 'Pd\\x1aoU-<\\x08', 'virtual_size': '0x0000e414'}

description

A section with a high entropy has been found

entropy

7.961798950503081

section

{'size_of_data': '0x00061c00', 'virtual_address': '0x00012000', 'entropy': 7.961798950503081, 'name': '.text', 'virtual_size': '0x00061ab0'}

description

A section with a high entropy has been found

entropy

0.9944567627494457

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619703477.136124 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619703486.496751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (10 个事件)

Time & API	Arguments	Status
1619703517.871124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2668 process_handle: 0x0000ca94	failed
1619703517.871124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2668 process_handle: 0x0000ca94	success
1619703520.527124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1948 process_handle: 0x000074f8	failed
1619703520.527124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1948 process_handle: 0x000074f8	success
1619703522.871124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1812 process_handle: 0x0000ae0c	failed
1619703522.871124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1812 process_handle: 0x0000ae0c	success
1619703525.152124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1932 process_handle: 0x000074fc	failed
1619703525.152124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1932 process_handle: 0x000074fc	success
1619703527.418124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1320 process_handle: 0x0000d8dc	failed
1619703527.418124 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1320 process_handle: 0x0000d8dc	success

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks.exe /Create /TN "Updates\gFZvCnoxH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD02C.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFZvCnoxH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD02C.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (5 个事件)

Time & API	Arguments	Status	Return
1619703515.746124 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000074f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703518.027124 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002c8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703520.730124 NtAllocateVirtualMemory	process_identifier: 1812 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703523.058124 NtAllocateVirtualMemory	process_identifier: 1932 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703525.339124 NtAllocateVirtualMemory	process_identifier: 1320 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD02C.tmp

Manipulates memory of a non-child process indicative of process injection (10 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3060 manipulating memory of non-child process 2668
Process injection	Process 3060 manipulating memory of non-child process 1948
Process injection	Process 3060 manipulating memory of non-child process 1812
Process injection	Process 3060 manipulating memory of non-child process 1932
Process injection	Process 3060 manipulating memory of non-child process 1320
1619703515.746124 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000074f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619703518.027124 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002c8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619703520.730124 NtAllocateVirtualMemory	process_identifier: 1812 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619703523.058124 NtAllocateVirtualMemory	process_identifier: 1932 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619703525.339124 NtAllocateVirtualMemory	process_identifier: 1320 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Disables Windows Security features (4 个事件)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection

Executed a process and injected code into it, probably while unpacking (24 个事件)

Time & API	Arguments	Status	Return
1619703476.074124 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 3060	success	0
1619703476.089124 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 3060	success	0
1619703476.183124 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 3060	success	0
1619703481.058124 CreateProcessInternalW	thread_identifier: 2856 thread_handle: 0x0000749c process_identifier: 2456 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x0000021c inherit_handles: 1	success	1
1619703507.058124 CreateProcessInternalW	thread_identifier: 1812 thread_handle: 0x000074e4 process_identifier: 1436 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFZvCnoxH" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD02C.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000074f0 inherit_handles: 0	success	1
1619703515.730124 CreateProcessInternalW	thread_identifier: 2764 thread_handle: 0x0000029c process_identifier: 2668 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000074f4 inherit_handles: 0	success	1
1619703515.746124 NtGetContextThread	thread_handle: 0x0000029c	success	0
1619703515.746124 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000074f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703518.027124 CreateProcessInternalW	thread_identifier: 1664 thread_handle: 0x0000ca94 process_identifier: 1948 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000002c8 inherit_handles: 0	success	1
1619703518.027124 NtGetContextThread	thread_handle: 0x0000ca94	success	0
1619703518.027124 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002c8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703520.730124 CreateProcessInternalW	thread_identifier: 2956 thread_handle: 0x000074f8 process_identifier: 1812 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000002cc inherit_handles: 0	success	1
1619703520.730124 NtGetContextThread	thread_handle: 0x000074f8	success	0
1619703520.730124 NtAllocateVirtualMemory	process_identifier: 1812 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703523.058124 CreateProcessInternalW	thread_identifier: 2648 thread_handle: 0x0000ae0c process_identifier: 1932 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000002d0 inherit_handles: 0	success	1
1619703523.058124 NtGetContextThread	thread_handle: 0x0000ae0c	success	0
1619703523.058124 NtAllocateVirtualMemory	process_identifier: 1932 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703525.339124 CreateProcessInternalW	thread_identifier: 2484 thread_handle: 0x000074fc process_identifier: 1320 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8b76bc6ab1cac65762989b0c0525c2d8.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000002d4 inherit_handles: 0	success	1
1619703525.339124 NtGetContextThread	thread_handle: 0x000074fc	success	0
1619703525.339124 NtAllocateVirtualMemory	process_identifier: 1320 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619703485.183751 NtResumeThread	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2456	success	0
1619703485.230751 NtResumeThread	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 2456	success	0
1619703490.386751 NtResumeThread	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 2456	success	0
1619703491.339751 NtResumeThread	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2456	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Myno.5
FireEye	Generic.mg.8b76bc6ab1cac657
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Artemis!8B76BC6AB1CA
Cylance	Unsafe
K7AntiVirus	Trojan ( 0056589d1 )
Alibaba	TrojanPSW:MSIL/Agensla.fb08c9d8
K7GW	Trojan ( 0056589d1 )
Cybereason	malicious.ab1cac
Arcabit	Trojan.Myno.5
BitDefenderTheta	Gen:NN.ZemsilF.34700.Cu0@a8Ua9Ad
Cyren	W32/MSIL_Kryptik.APM.gen!Eldorado
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Gen:Variant.Myno.5
Paloalto	generic.ml
Tencent	Win32.Trojan.Inject.Auto
Ad-Aware	Gen:Variant.Myno.5
Sophos	Mal/Generic-S
Comodo	Malware@#10c3ipfmwvjbh
F-Secure	Trojan.TR/Kryptik.rxhfk
DrWeb	Trojan.Inject3.39354
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06EC0PI220
McAfee-GW-Edition	BehavesLike.Win32.Generic.gc
Emsisoft	Gen:Variant.Myno.5 (B)
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.rxhfk
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Trojan.Win32.Kryptik.vb
Microsoft	Trojan:Win32/Occamy.CF3
AegisLab	Trojan.Multi.Generic.4!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Gen:Variant.Myno.5
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.C4097519
Acronis	suspicious
VBA32	CIL.HeapOverride.Heur
ALYac	Gen:Variant.Myno.5
Malwarebytes	Spyware.AgentTesla
ESET-NOD32	a variant of MSIL/Kryptik.VRL
TrendMicro-HouseCall	TROJ_GEN.R06EC0PI220
Yandex	Trojan.Kryptik!QHQQFKOWpnc
Ikarus	Trojan.MSIL.Krypt
MaxSecure	Trojan.Malware.74499699.susgen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-27 11:19:36

Imports

Library mscoree.dll:

• 0x478000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	63429	224.0.0.252	5355
192.168.56.101	65004	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	55369	239.255.255.250	3702
192.168.56.101	57875	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702
192.168.56.101	63432	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.