SmartHawk

15.8

0-day

55 个模型检测该样本为恶意！

重新分析

下载样本

a8d70892ef7ee47285c81177411ad8f089d8f025ff39d1b855dea18db3eda1d6

a108a4abc37f044efa22441efca4a576.exe

分析耗时

167s

最近分析

文件大小

720.0KB

静态报毒动态报毒 100% AI SCORE=89 ATTRIBUTE CONFIDENCE CRYPTINJECT ELDORADO EQMX FAREIT GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HSOXFK KRYPTIK LHWI MALICIOUS PE MSILKRYPT PACKEDNET QJHF R002C0DHJ20 R348272 SCORE SUSGEN TM0@AW4IL3B TROJANX TSCOPE UNCLASSIFIEDMALWARE@0 UNSAFE VTRRE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FYE!A108A4ABC37F	20200828	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:TrojanX-gen [Trj]	20200828	18.4.3895.0
Alibaba	Trojan:MSIL/CryptInject.0dc103f2	20190527	0.3.0.5
Kingsoft		20200828	2013.8.14.323
Tencent	Msil.Trojan.Crypt.Lhwi	20200828	1.0.0.1

Queries for the computername (9 个事件)

Time & API	Arguments	Status	Return
1619813945.28025 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619813970.029625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619813972.685625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619813973.060625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619813974.592625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619813974.592625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619813974.592625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619813975.170625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619813975.232625 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (25 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781470.827875 IsDebuggerPresent		failed	0	0
1619781470.827875 IsDebuggerPresent		failed	0	0
1619781522.171875 IsDebuggerPresent		failed	0	0
1619781522.671875 IsDebuggerPresent		failed	0	0
1619781523.186875 IsDebuggerPresent		failed	0	0
1619781523.671875 IsDebuggerPresent		failed	0	0
1619781524.186875 IsDebuggerPresent		failed	0	0
1619781524.671875 IsDebuggerPresent		failed	0	0
1619781525.186875 IsDebuggerPresent		failed	0	0
1619781525.671875 IsDebuggerPresent		failed	0	0
1619781526.186875 IsDebuggerPresent		failed	0	0
1619781526.671875 IsDebuggerPresent		failed	0	0
1619781527.186875 IsDebuggerPresent		failed	0	0
1619781527.671875 IsDebuggerPresent		failed	0	0
1619781528.249875 IsDebuggerPresent		failed	0	0
1619781528.671875 IsDebuggerPresent		failed	0	0
1619781529.249875 IsDebuggerPresent		failed	0	0
1619781529.671875 IsDebuggerPresent		failed	0	0
1619781530.249875 IsDebuggerPresent		failed	0	0
1619781530.671875 IsDebuggerPresent		failed	0	0
1619781531.249875 IsDebuggerPresent		failed	0	0
1619781531.671875 IsDebuggerPresent		failed	0	0
1619781532.249875 IsDebuggerPresent		failed	0	0
1619813955.154625 IsDebuggerPresent		failed	0	0
1619813955.154625 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619813949.87425 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\qVfvDd"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781470.827875 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619813975.185625 __exception__	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31 IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141 OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db system+0x577bfc @ 0x718e7bfc system+0x7a0f66 @ 0x70ea0f66 system+0x7a092c @ 0x70ea092c system+0x7a058e @ 0x70ea058e system+0x79e700 @ 0x70e9e700 system+0x79d843 @ 0x70e9d843 system+0x79d8b1 @ 0x70e9d8b1 0x5ca49d5 0x754368 system+0x216fb6 @ 0x70916fb6 0xcb09e5 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a 0x5ca4584 0x755911 0x4ca315 system+0x222b78 @ 0x70922b78 system+0x222650 @ 0x70922650 system+0x2157c3 @ 0x709157c3 system+0x2155c0 @ 0x709155c0 system+0x221537 @ 0x70921537 system+0x217408 @ 0x70917408 system+0x2202aa @ 0x709202aa system+0x221460 @ 0x70921460 system+0x220129 @ 0x70920129 system+0x2170f3 @ 0x709170f3 system+0x217071 @ 0x70917071 system+0x216fb6 @ 0x70916fb6 0xcb09e5 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5 system+0x23252c @ 0x7093252c system+0xaec65d @ 0x711ec65d system+0x212c60 @ 0x70912c60 system+0x226d9d @ 0x70926d9d system+0x226c81 @ 0x70926c81 0x753095 0x752bd7 0x750ce9 0x750135 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 registers.esp: 1826108 registers.edi: 5505024 registers.eax: 4294967288 registers.ebp: 1826152 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 5505024 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77da9e58	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619813975.185625
__exception__

stacktrace:

_vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31
IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141
OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d
ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db
system+0x577bfc @ 0x718e7bfc
system+0x7a0f66 @ 0x70ea0f66
system+0x7a092c @ 0x70ea092c
system+0x7a058e @ 0x70ea058e
system+0x79e700 @ 0x70e9e700
system+0x79d843 @ 0x70e9d843
system+0x79d8b1 @ 0x70e9d8b1
0x5ca49d5
0x754368
system+0x216fb6 @ 0x70916fb6
0xcb09e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
0x5ca4584
0x755911
0x4ca315
system+0x222b78 @ 0x70922b78
system+0x222650 @ 0x70922650
system+0x2157c3 @ 0x709157c3
system+0x2155c0 @ 0x709155c0
system+0x221537 @ 0x70921537
system+0x217408 @ 0x70917408
system+0x2202aa @ 0x709202aa
system+0x221460 @ 0x70921460
system+0x220129 @ 0x70920129
system+0x2170f3 @ 0x709170f3
system+0x217071 @ 0x70917071
system+0x216fb6 @ 0x70916fb6
0xcb09e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
system+0x23252c @ 0x7093252c
system+0xaec65d @ 0x711ec65d
system+0x212c60 @ 0x70912c60
system+0x226d9d @ 0x70926d9d
system+0x226c81 @ 0x70926c81
0x753095
0x752bd7
0x750ce9
0x750135
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2

registers.esp: 1826108
registers.edi: 5505024
registers.eax: 4294967288
registers.ebp: 1826152
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 5505024
exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84
exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58
exception.instruction: cmp byte ptr [eax + 7], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 499288
exception.address: 0x77da9e58

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 个事件)

Time & API	Arguments	Status	Return
1619813958.842625 bind	ip_address: 127.0.0.1 socket: 596 port: 0	success	0
1619813958.842625 listen	socket: 596 backlog: 2147483647	success	0
1619813959.498625 accept	ip_address: 127.0.0.1 socket: 596 port: 0	failed	4294967295

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://whatismyipaddress.com/
suspicious_features	POST method with no referer header				suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:4220899645&cup2hreq=81267eab2898eceac8adf33a51b2fe291d9d481598606c2879888d1a9c027df2

Performs some HTTP requests (2 个事件)

request	GET http://whatismyipaddress.com/
request	POST https://update.googleapis.com/service/update2?cup2key=10:4220899645&cup2hreq=81267eab2898eceac8adf33a51b2fe291d9d481598606c2879888d1a9c027df2

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:4220899645&cup2hreq=81267eab2898eceac8adf33a51b2fe291d9d481598606c2879888d1a9c027df2

Allocates read-write-execute memory (usually to unpack itself) (50 out of 181 个事件)

Time & API	Arguments	Status	Return
1619781469.983875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00440000	success	0
1619781469.983875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00450000	success	0
1619781470.592875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00490000	success	0
1619781470.592875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00490000	success	0
1619781470.655875 NtProtectVirtualMemory	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success	0
1619781470.827875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x021a0000	success	0
1619781470.827875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02330000	success	0
1619781470.827875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004ea000	success	0
1619781470.827875 NtProtectVirtualMemory	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success	0
1619781470.827875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004e2000	success	0
1619781470.999875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00572000	success	0
1619781471.061875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00595000	success	0
1619781471.077875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0059b000	success	0
1619781471.077875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00597000	success	0
1619781471.186875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00573000	success	0
1619781471.217875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057c000	success	0
1619781471.296875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a30000	success	0
1619781471.296875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00574000	success	0
1619781471.311875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a31000	success	0
1619781471.358875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a32000	success	0
1619781471.921875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00575000	success	0
1619781471.921875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00577000	success	0
1619781472.077875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058a000	success	0
1619781472.077875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00587000	success	0
1619781472.186875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00578000	success	0
1619781472.186875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a33000	success	0
1619781472.358875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a35000	success	0
1619781472.436875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00579000	success	0
1619781472.577875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00730000	success	0
1619781472.608875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a36000	success	0
1619781472.624875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00731000	success	0
1619781472.639875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00586000	success	0
1619781472.686875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00732000	success	0
1619781472.717875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a37000	success	0
1619781472.749875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a38000	success	0
1619781472.764875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0057d000	success	0
1619781514.264875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a3b000	success	0
1619781514.467875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a3c000	success	0
1619781514.686875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004ec000	success	0
1619781514.749875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00733000	success	0
1619781514.827875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a3d000	success	0
1619781514.827875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00734000	success	0
1619781514.842875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a3e000	success	0
1619781514.967875 NtProtectVirtualMemory	process_identifier: 3000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 504320 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x05920400	failed	3221225550
1619781520.842875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a3f000	success	0
1619781520.842875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02320000	success	0
1619781520.874875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02321000	success	0
1619781520.936875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02322000	success	0
1619781520.952875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02323000	success	0
1619781521.139875 NtAllocateVirtualMemory	process_identifier: 3000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00735000	success	0

Looks up the external IP address (1 个事件)

domain

whatismyipaddress.com

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qVfvDd" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp4C9F.tmp"
cmdline	schtasks.exe /Create /TN "Updates\qVfvDd" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp4C9F.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781522.733875 ShellExecuteExW	parameters: /Create /TN "Updates\qVfvDd" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp4C9F.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619813964.560625 GetAdaptersAddresses	flags: 1158 family: 0	success	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.914080459389057

section

{'size_of_data': '0x000b3600', 'virtual_address': '0x00002000', 'entropy': 7.914080459389057, 'name': '.text', 'virtual_size': '0x000b34c4'}

description

A section with a high entropy has been found

entropy

0.9972202918693537

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781514.967875 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619813975.107625 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qVfvDd" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp4C9F.tmp"
cmdline	schtasks.exe /Create /TN "Updates\qVfvDd" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp4C9F.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781532.311875 NtAllocateVirtualMemory	process_identifier: 2256 region_size: 557056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00004214 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

RegSvcs.exe tried to sleep 2728169 seconds, actually delayed analysis time by 2728169 seconds

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp4C9F.tmp

Potential code injection by writing to the memory of another process (3 个事件)

Time & API	Arguments	Status	Return
1619781532.311875 WriteProcessMemory	process_identifier: 2256 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7Ü0_àì4î @ @ K 2` H.textôë ì `.rsrc2 2î@@.reloc` @B process_handle: 0x00004214 base_address: 0x00400000	success	1
1619781532.327875 WriteProcessMemory	process_identifier: 2256 buffer: ð; process_handle: 0x00004214 base_address: 0x00486000	success	1
1619781532.327875 WriteProcessMemory	process_identifier: 2256 buffer: @ process_handle: 0x00004214 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781532.311875 WriteProcessMemory	process_identifier: 2256 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7Ü0_àì4î @ @ K 2` H.textôë ì `.rsrc2 2î@@.reloc` @B process_handle: 0x00004214 base_address: 0x00400000	success	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619813975.107625 SetWindowsHookExA	thread_identifier: 0 callback_function: 0x00cc698a module_address: 0x00400000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	2293991	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3000 called NtSetContextThread to modify thread in remote process 2256
1619781532.327875 NtSetContextThread	thread_handle: 0x0000a21c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4721646 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2256	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3000 resumed a thread in remote process 2256
1619781532.499875 NtResumeThread	thread_handle: 0x0000a21c suspend_count: 1 process_identifier: 2256	success	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 个事件)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

Executed a process and injected code into it, probably while unpacking (41 个事件)

Time & API	Arguments	Status	Return
1619781470.827875 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 3000	success	0
1619781470.827875 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 3000	success	0
1619781470.827875 NtResumeThread	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 3000	success	0
1619781522.108875 NtResumeThread	thread_handle: 0x0000ca64 suspend_count: 1 process_identifier: 3000	success	0
1619781522.155875 NtResumeThread	thread_handle: 0x000119b0 suspend_count: 1 process_identifier: 3000	success	0
1619781522.733875 CreateProcessInternalW	thread_identifier: 1416 thread_handle: 0x000090b4 process_identifier: 2188 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qVfvDd" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp4C9F.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000037d4 inherit_handles: 0	success	1
1619781532.311875 CreateProcessInternalW	thread_identifier: 2996 thread_handle: 0x0000a21c process_identifier: 2256 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: "{path}" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00004214 inherit_handles: 0	success	1
1619781532.311875 NtGetContextThread	thread_handle: 0x0000a21c	success	0
1619781532.311875 NtAllocateVirtualMemory	process_identifier: 2256 region_size: 557056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00004214 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619781532.311875 WriteProcessMemory	process_identifier: 2256 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL7Ü0_àì4î @ @ K 2` H.textôë ì `.rsrc2 2î@@.reloc` @B process_handle: 0x00004214 base_address: 0x00400000	success	1
1619781532.311875 WriteProcessMemory	process_identifier: 2256 buffer: process_handle: 0x00004214 base_address: 0x00402000	success	1
1619781532.327875 WriteProcessMemory	process_identifier: 2256 buffer: process_handle: 0x00004214 base_address: 0x00482000	success	1
1619781532.327875 WriteProcessMemory	process_identifier: 2256 buffer: ð; process_handle: 0x00004214 base_address: 0x00486000	success	1
1619781532.327875 WriteProcessMemory	process_identifier: 2256 buffer: @ process_handle: 0x00004214 base_address: 0x7efde008	success	1
1619781532.327875 NtSetContextThread	thread_handle: 0x0000a21c registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4721646 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2256	success	0
1619781532.499875 NtResumeThread	thread_handle: 0x0000a21c suspend_count: 1 process_identifier: 2256	success	0
1619781532.499875 NtResumeThread	thread_handle: 0x0000e12c suspend_count: 1 process_identifier: 3000	success	0
1619781532.530875 NtGetContextThread	thread_handle: 0x0000e12c	success	0
1619781532.530875 NtGetContextThread	thread_handle: 0x0000e12c	success	0
1619781532.530875 NtResumeThread	thread_handle: 0x0000e12c suspend_count: 1 process_identifier: 3000	success	0
1619781532.546875 NtGetContextThread	thread_handle: 0x0000e12c	success	0
1619781532.546875 NtGetContextThread	thread_handle: 0x0000e12c	success	0
1619781532.546875 NtResumeThread	thread_handle: 0x0000e12c suspend_count: 1 process_identifier: 3000	success	0
1619813955.154625 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2256	success	0
1619813955.154625 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2256	success	0
1619813955.201625 NtResumeThread	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2256	success	0
1619813959.545625 NtResumeThread	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2256	success	0
1619813964.935625 NtResumeThread	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2256	success	0
1619813970.295625 NtResumeThread	thread_handle: 0x000004b0 suspend_count: 1 process_identifier: 2256	success	0
1619813972.029625 NtResumeThread	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 2256	success	0
1619813974.592625 NtResumeThread	thread_handle: 0x00000564 suspend_count: 1 process_identifier: 2256	success	0
1619813974.607625 NtResumeThread	thread_handle: 0x0000057c suspend_count: 1 process_identifier: 2256	success	0
1619813974.607625 NtResumeThread	thread_handle: 0x00000590 suspend_count: 1 process_identifier: 2256	success	0
1619813974.607625 NtResumeThread	thread_handle: 0x000005a4 suspend_count: 1 process_identifier: 2256	success	0
1619813974.935625 NtResumeThread	thread_handle: 0x000005c0 suspend_count: 1 process_identifier: 2256	success	0
1619813974.982625 NtResumeThread	thread_handle: 0x000005d8 suspend_count: 1 process_identifier: 2256	success	0
1619813975.013625 NtResumeThread	thread_handle: 0x000005e8 suspend_count: 1 process_identifier: 2256	success	0
1619813975.029625 NtResumeThread	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2256	success	0
1619813975.123625 NtResumeThread	thread_handle: 0x00000614 suspend_count: 1 process_identifier: 2256	success	0
1619813975.201625 NtResumeThread	thread_handle: 0x0000064c suspend_count: 1 process_identifier: 2256	success	0
1619813977.982625 NtResumeThread	thread_handle: 0x00000664 suspend_count: 1 process_identifier: 2256	success	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)

Elastic	malicious (high confidence)
FireEye	Generic.mg.a108a4abc37f044e
CAT-QuickHeal	Trojan.Multi
McAfee	Fareit-FYE!A108A4ABC37F
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2374770
AegisLab	Trojan.MSIL.Crypt.4!c
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c4a21 )
BitDefender	Trojan.GenericKD.34380773
K7GW	Trojan ( 0056c4a21 )
CrowdStrike	win/malicious_confidence_100% (W)
Invincea	heuristic
Cyren	W32/MSIL_Kryptik.BKV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Cynet	Malicious (score: 85)
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
Alibaba	Trojan:MSIL/CryptInject.0dc103f2
NANO-Antivirus	Trojan.Win32.Crypt.hsoxfk
ViRobot	Trojan.Win32.Z.Malpack.737280.A
MicroWorld-eScan	Trojan.GenericKD.34380773
Ad-Aware	Trojan.GenericKD.34380773
Comodo	.UnclassifiedMalware@0
F-Secure	Trojan.TR/Kryptik.vtrre
DrWeb	Trojan.PackedNET.405
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DHJ20
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
GData	Trojan.GenericKD.34380773
Jiangmin	Trojan.MSIL.qjhf
MaxSecure	Trojan.Malware.300983.susgen
Avira	TR/Kryptik.vtrre
MAX	malware (ai score=89)
Antiy-AVL	Trojan/MSIL.Kryptik
Arcabit	Trojan.Generic.D20C9BE5
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
Microsoft	Trojan:MSIL/CryptInject.AR!MTB
AhnLab-V3	Trojan/Win32.MSILKrypt.R348272
BitDefenderTheta	Gen:NN.ZemsilF.34196.Tm0@aW4IL3b
ALYac	Trojan.GenericKD.34380773
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack
Panda	Trj/GdSda.A
ESET-NOD32	a variant of MSIL/Kryptik.XJJ
TrendMicro-HouseCall	TROJ_GEN.R002C0DHJ20
Tencent	Msil.Trojan.Crypt.Lhwi
Ikarus	Trojan.MSIL.Crypt

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-18 06:44:46

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
whatismyipaddress.com	A 104.16.154.36 A 104.16.155.36	104.16.154.36
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	216.58.200.238
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.40.34	203.208.41.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49193	104.16.154.36 whatismyipaddress.com	80
192.168.56.101	49195	203.208.40.34 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	54260	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	54178	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://whatismyipaddress.com/	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.