9.8
极危
51 个模型检测该样本为恶意!
重新分析
更多

ff3d19c8989f4d69891f5c96ffed7db076129f437ea44d3115322ba84c4f7975

b711bbdecb0ab26dd9a22ea6e35b405f.exe

分析耗时

64s

最近分析

文件大小

385.0KB
静态报毒 动态报毒 AGEN AGENSLA AGENTTESLA AI SCORE=84 ALI1000139 AVSARHER BTTLHJ ELDORADO FAREIT FSDS GDSDA GENERICKDZ HIGH CONFIDENCE KRYPTIK MALICIOUS PE MALWARE@#3BYXOAGAGI7K PACKEDNET R06EC0DI220 RATX REMCOS SCORE STARTER STATIC AI SUSGEN TSCOPE UNSAFE VOBFUS YAKBEEXMSIL YM0@A80VR0N ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/starter.ali1000139 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:RATX-gen [Trj] 20210127 21.1.5827.0
Tencent 20210127 1.0.0.1
Kingsoft 20210127 2017.9.26.565
McAfee Trojan-FSDS!B711BBDECB0A 20210127 6.0.6.653
静态指标
Queries for the computername (7 个事件)
Time & API Arguments Status Return Repeated
1619893749.40125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619893749.43325
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619893749.44825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619893749.46425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619893753.05825
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619893753.05825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619893766.667
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 77 个事件)
Time & API Arguments Status Return Repeated
1619861122.774465
IsDebuggerPresent
failed 0 0
1619861122.774465
IsDebuggerPresent
failed 0 0
1619861123.899465
IsDebuggerPresent
failed 0 0
1619861124.415465
IsDebuggerPresent
failed 0 0
1619861124.915465
IsDebuggerPresent
failed 0 0
1619861125.415465
IsDebuggerPresent
failed 0 0
1619861125.915465
IsDebuggerPresent
failed 0 0
1619861126.415465
IsDebuggerPresent
failed 0 0
1619861126.915465
IsDebuggerPresent
failed 0 0
1619861127.415465
IsDebuggerPresent
failed 0 0
1619861127.915465
IsDebuggerPresent
failed 0 0
1619861128.415465
IsDebuggerPresent
failed 0 0
1619861128.915465
IsDebuggerPresent
failed 0 0
1619861129.415465
IsDebuggerPresent
failed 0 0
1619861129.915465
IsDebuggerPresent
failed 0 0
1619861130.415465
IsDebuggerPresent
failed 0 0
1619861130.915465
IsDebuggerPresent
failed 0 0
1619861131.415465
IsDebuggerPresent
failed 0 0
1619861131.915465
IsDebuggerPresent
failed 0 0
1619861132.415465
IsDebuggerPresent
failed 0 0
1619861132.915465
IsDebuggerPresent
failed 0 0
1619861133.415465
IsDebuggerPresent
failed 0 0
1619861133.915465
IsDebuggerPresent
failed 0 0
1619861134.415465
IsDebuggerPresent
failed 0 0
1619861134.915465
IsDebuggerPresent
failed 0 0
1619861135.415465
IsDebuggerPresent
failed 0 0
1619861135.915465
IsDebuggerPresent
failed 0 0
1619861136.415465
IsDebuggerPresent
failed 0 0
1619861136.915465
IsDebuggerPresent
failed 0 0
1619861137.415465
IsDebuggerPresent
failed 0 0
1619861137.915465
IsDebuggerPresent
failed 0 0
1619861138.415465
IsDebuggerPresent
failed 0 0
1619861138.915465
IsDebuggerPresent
failed 0 0
1619861139.415465
IsDebuggerPresent
failed 0 0
1619861139.915465
IsDebuggerPresent
failed 0 0
1619861140.415465
IsDebuggerPresent
failed 0 0
1619861140.915465
IsDebuggerPresent
failed 0 0
1619861141.415465
IsDebuggerPresent
failed 0 0
1619861141.915465
IsDebuggerPresent
failed 0 0
1619861142.415465
IsDebuggerPresent
failed 0 0
1619861142.915465
IsDebuggerPresent
failed 0 0
1619861143.415465
IsDebuggerPresent
failed 0 0
1619861143.915465
IsDebuggerPresent
failed 0 0
1619861144.415465
IsDebuggerPresent
failed 0 0
1619861144.946465
IsDebuggerPresent
failed 0 0
1619861145.415465
IsDebuggerPresent
failed 0 0
1619861145.962465
IsDebuggerPresent
failed 0 0
1619861146.415465
IsDebuggerPresent
failed 0 0
1619861146.962465
IsDebuggerPresent
failed 0 0
1619861147.415465
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619893767.839
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\cTranyPqthcqu"。
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)
Time & API Arguments Status Return Repeated
1619893750.99525
CryptExportKey
crypto_handle: 0x0047a260
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.74525
CryptExportKey
crypto_handle: 0x0047a120
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.74525
CryptExportKey
crypto_handle: 0x0047a120
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.74525
CryptExportKey
crypto_handle: 0x0047a120
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.80825
CryptExportKey
crypto_handle: 0x0047a120
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.80825
CryptExportKey
crypto_handle: 0x0047a120
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.80825
CryptExportKey
crypto_handle: 0x0047a120
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.83925
CryptExportKey
crypto_handle: 0x0047a120
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.88625
CryptExportKey
crypto_handle: 0x00479660
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.88625
CryptExportKey
crypto_handle: 0x00479660
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.93325
CryptExportKey
crypto_handle: 0x00479660
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.93325
CryptExportKey
crypto_handle: 0x00479660
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.93325
CryptExportKey
crypto_handle: 0x00479660
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893751.93325
CryptExportKey
crypto_handle: 0x00479660
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.23025
CryptExportKey
crypto_handle: 0x00479ba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.23025
CryptExportKey
crypto_handle: 0x00479ba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.23025
CryptExportKey
crypto_handle: 0x00479ba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.23025
CryptExportKey
crypto_handle: 0x00479ba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.23025
CryptExportKey
crypto_handle: 0x00479ba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.23025
CryptExportKey
crypto_handle: 0x00479ba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.24525
CryptExportKey
crypto_handle: 0x00479ba0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.73025
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.73025
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.73025
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.73025
CryptExportKey
crypto_handle: 0x00479aa0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.74525
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.74525
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.74525
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.74525
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.74525
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.74525
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.74525
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.82325
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.82325
CryptExportKey
crypto_handle: 0x00479f60
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.90125
CryptExportKey
crypto_handle: 0x00479ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.90125
CryptExportKey
crypto_handle: 0x00479ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.90125
CryptExportKey
crypto_handle: 0x00479ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.91725
CryptExportKey
crypto_handle: 0x00479ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.91725
CryptExportKey
crypto_handle: 0x00479ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.91725
CryptExportKey
crypto_handle: 0x00479ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.93325
CryptExportKey
crypto_handle: 0x00479ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.98025
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893752.98025
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893753.13625
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893753.13625
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893753.13625
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893753.13625
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893753.13625
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893753.15125
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619893753.15125
CryptExportKey
crypto_handle: 0x00479520
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619861122.837465
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 200 个事件)
Time & API Arguments Status Return Repeated
1619861121.821465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00770000
success 0 0
1619861121.821465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a0000
success 0 0
1619861122.305465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c90000
success 0 0
1619861122.305465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00de0000
success 0 0
1619861122.462465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619861122.774465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005f0000
success 0 0
1619861122.774465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006a0000
success 0 0
1619861122.774465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041a000
success 0 0
1619861122.774465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619861122.774465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00412000
success 0 0
1619861123.055465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00422000
success 0 0
1619861123.149465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00445000
success 0 0
1619861123.149465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044b000
success 0 0
1619861123.149465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1619861123.227465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00423000
success 0 0
1619861123.258465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042c000
success 0 0
1619861123.321465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b0000
success 0 0
1619861123.352465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b1000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01220000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01220000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x011d0000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x011d0000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x011d0000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x011d2000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.352465
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01206000
success 0 0
1619861123.508465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00424000
success 0 0
1619861124.040465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00425000
success 0 0
1619861124.102465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00427000
success 0 0
1619861124.196465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043a000
success 0 0
1619861124.196465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00437000
success 0 0
1619861124.321465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00436000
success 0 0
1619861124.415465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b2000
success 0 0
1619861124.743465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0042a000
success 0 0
1619861125.040465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00428000
success 0 0
1619861125.040465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00429000
success 0 0
1619861125.102465
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00de1000
success 0 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (3 个事件)
cmdline schtasks.exe /Create /TN "Updates\cTranyPqthcqu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD2EB.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cTranyPqthcqu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD2EB.tmp"
cmdline "powershell" Get-MpPreference -verbose
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619861135.633465
CreateProcessInternalW
thread_identifier: 2080
thread_handle: 0x00000270
process_identifier: 784
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell" Get-MpPreference -verbose
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000027c
inherit_handles: 1
success 1 0
1619861154.915465
ShellExecuteExW
parameters: /Create /TN "Updates\cTranyPqthcqu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD2EB.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.145860411598681 section {'size_of_data': '0x0004f000', 'virtual_address': '0x00002000', 'entropy': 7.145860411598681, 'name': '.text', 'virtual_size': '0x0004ef74'} description A section with a high entropy has been found
entropy 0.8218465539661899 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619861123.633465
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619893750.83925
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (10 个事件)
Time & API Arguments Status Return Repeated
1619861158.758465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 624
process_handle: 0x000003dc
failed 0 0
1619861158.758465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 624
process_handle: 0x000003dc
success 0 0
1619861159.508465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1812
process_handle: 0x000003e4
failed 0 0
1619861159.508465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1812
process_handle: 0x000003e4
success 0 0
1619861160.055465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2440
process_handle: 0x000003ec
failed 0 0
1619861160.055465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2440
process_handle: 0x000003ec
success 0 0
1619861160.493465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1160
process_handle: 0x000003f4
failed 0 0
1619861160.493465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1160
process_handle: 0x000003f4
success 0 0
1619861160.868465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1476
process_handle: 0x000003fc
failed 0 0
1619861160.868465
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1476
process_handle: 0x000003fc
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\cTranyPqthcqu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD2EB.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cTranyPqthcqu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD2EB.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619861158.212465
NtAllocateVirtualMemory
process_identifier: 624
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861158.977465
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861159.758465
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861160.165465
NtAllocateVirtualMemory
process_identifier: 1160
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861160.602465
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003f0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD2EB.tmp
Manipulates memory of a non-child process indicative of process injection (10 个事件)
Process injection Process 2740 manipulating memory of non-child process 624
Process injection Process 2740 manipulating memory of non-child process 1812
Process injection Process 2740 manipulating memory of non-child process 2440
Process injection Process 2740 manipulating memory of non-child process 1160
Process injection Process 2740 manipulating memory of non-child process 1476
Time & API Arguments Status Return Repeated
1619861158.212465
NtAllocateVirtualMemory
process_identifier: 624
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861158.977465
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861159.758465
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861160.165465
NtAllocateVirtualMemory
process_identifier: 1160
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861160.602465
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003f0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Disables Windows Security features (4 个事件)
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
Executed a process and injected code into it, probably while unpacking (26 个事件)
Time & API Arguments Status Return Repeated
1619861122.774465
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2740
success 0 0
1619861122.790465
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2740
success 0 0
1619861122.915465
NtResumeThread
thread_handle: 0x00000170
suspend_count: 1
process_identifier: 2740
success 0 0
1619861123.837465
NtResumeThread
thread_handle: 0x00000204
suspend_count: 1
process_identifier: 2740
success 0 0
1619861123.883465
NtResumeThread
thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2740
success 0 0
1619861135.633465
CreateProcessInternalW
thread_identifier: 2080
thread_handle: 0x00000270
process_identifier: 784
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell" Get-MpPreference -verbose
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x0000027c
inherit_handles: 1
success 1 0
1619861154.915465
CreateProcessInternalW
thread_identifier: 2772
thread_handle: 0x0000038c
process_identifier: 3064
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cTranyPqthcqu" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpD2EB.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000003c4
inherit_handles: 0
success 1 0
1619861158.196465
CreateProcessInternalW
thread_identifier: 2040
thread_handle: 0x00000380
process_identifier: 624
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003d4
inherit_handles: 0
success 1 0
1619861158.212465
NtGetContextThread
thread_handle: 0x00000380
success 0 0
1619861158.212465
NtAllocateVirtualMemory
process_identifier: 624
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861158.962465
CreateProcessInternalW
thread_identifier: 472
thread_handle: 0x000003dc
process_identifier: 1812
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003d8
inherit_handles: 0
success 1 0
1619861158.962465
NtGetContextThread
thread_handle: 0x000003dc
success 0 0
1619861158.977465
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861159.758465
CreateProcessInternalW
thread_identifier: 2772
thread_handle: 0x000003e4
process_identifier: 2440
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003e0
inherit_handles: 0
success 1 0
1619861159.758465
NtGetContextThread
thread_handle: 0x000003e4
success 0 0
1619861159.758465
NtAllocateVirtualMemory
process_identifier: 2440
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861160.165465
CreateProcessInternalW
thread_identifier: 2668
thread_handle: 0x000003ec
process_identifier: 1160
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003e8
inherit_handles: 0
success 1 0
1619861160.165465
NtGetContextThread
thread_handle: 0x000003ec
success 0 0
1619861160.165465
NtAllocateVirtualMemory
process_identifier: 1160
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619861160.602465
CreateProcessInternalW
thread_identifier: 1916
thread_handle: 0x000003f4
process_identifier: 1476
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003f0
inherit_handles: 0
success 1 0
1619861160.602465
NtGetContextThread
thread_handle: 0x000003f4
success 0 0
1619861160.602465
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003f0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619893749.91725
NtResumeThread
thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 784
success 0 0
1619893749.94825
NtResumeThread
thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 784
success 0 0
1619893753.60525
NtResumeThread
thread_handle: 0x00000460
suspend_count: 1
process_identifier: 784
success 0 0
1619893754.35525
NtResumeThread
thread_handle: 0x000003b8
suspend_count: 1
process_identifier: 784
success 0 0
File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.66254
FireEye Generic.mg.b711bbdecb0ab26d
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
ALYac Trojan.Fareit.gen
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 005662b41 )
Alibaba Trojan:Win32/starter.ali1000139
K7GW Trojan ( 005662b41 )
Cybereason malicious.ecb0ab
Arcabit Trojan.Generic.D102CE
Cyren W32/Vobfus.RE.gen!Eldorado
Symantec Trojan.Gen.2
APEX Malicious
Avast Win32:RATX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKDZ.66254
Paloalto generic.ml
Ad-Aware Trojan.GenericKDZ.66254
Sophos Mal/Generic-S
Comodo Malware@#3byxoagagi7k
F-Secure Heuristic.HEUR/AGEN.1134071
DrWeb Trojan.PackedNET.257
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0DI220
McAfee-GW-Edition Trojan-FSDS!B711BBDECB0A
Emsisoft Trojan.GenericKDZ.66254 (B)
Ikarus Trojan.Inject
Avira HEUR/AGEN.1134071
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:MSIL/AgentTesla!MTB
ViRobot Trojan.Win32.Z.Packednet.394240
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKDZ.66254
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Fareit.C4049600
McAfee Trojan-FSDS!B711BBDECB0A
MAX malware (ai score=84)
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
ESET-NOD32 a variant of MSIL/Kryptik.WBI
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
Yandex Trojan.AvsArher.bTtlhJ
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.74499699.susgen
Fortinet MSIL/Kryptik.VJF!tr
BitDefenderTheta Gen:NN.ZemsilF.34780.ym0@a80Vr0n
AVG Win32:RATX-gen [Trj]
Panda Trj/GdSda.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-08 19:59:32

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.