11.6
0-day
56 个模型检测该样本为恶意!
重新分析
更多

6d4894f2200a9addaef3823582389bd0a91d0547e2e9128c30fa8926fbd27aa9

d35e77616c34c301b5cb652c84b2d6f6.exe

分析耗时

79s

最近分析

文件大小

469.0KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=80 ALI2000016 APVQ ATTRIBUTE AVEMARIA BTH9J0 CLOUD CONFIDENCE DM0@A8EE5@L EKGR ELDORADO FSHN GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HKBUHJ IGENT KILLPROC2 KRYPTIK MALICIOUS PE MALWARE@#3GBI1NF7NYQVZ NEGASTEAL PWSX THEAEBO TSCOPE UNSAFE WPJI ZEMSILCO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Kryptik.ali2000016 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20200605 18.4.3895.0
Tencent Msil.Trojan-spy.Avemaria.Wpji 20200605 1.0.0.1
Kingsoft 20200605 2013.8.14.323
McAfee Trojan-FSHN!D35E77616C34 20200605 6.0.6.653
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619921358.593001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619921360.218001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619921361.781001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619921361.953001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1619910848.004234
IsDebuggerPresent
failed 0 0
1619910848.004234
IsDebuggerPresent
failed 0 0
1619921348.968001
IsDebuggerPresent
failed 0 0
1619921348.968001
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619910848.035234
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1619921361.734001
__exception__
stacktrace: 
0x8000a5
0x43ff4c8
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3075520
registers.edi: 3075548
registers.eax: 0
registers.ebp: 3075564
registers.edx: 8
registers.ebx: 0
registers.esi: 37918236
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 52 ee c8 9c e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8037e2
success 0 0
1619921396.187001
__exception__
stacktrace: 
0x5a21954
0x43ff9d1
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3074012
registers.edi: 3074108
registers.eax: 0
registers.ebp: 3074124
registers.edx: 37685332
registers.ebx: 0
registers.esi: 1631267346
registers.ecx: 0
exception.instruction_r: 39 09 e8 eb ec 34 6c 83 78 04 00 0f 84 1e 04 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5a9d752
success 0 0
1619921396.203001
__exception__
stacktrace: 
0x5a21b58
0x43ff9d1
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3074052
registers.edi: 39663448
registers.eax: 0
registers.ebp: 3074124
registers.edx: 39665608
registers.ebx: 39661628
registers.esi: 232058206
registers.ecx: 1908490458
exception.instruction_r: 39 00 68 ff ff ff 7f 6a 00 8b 4d c4 e8 ff 9f 42
exception.instruction: cmp dword ptr [eax], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5a9e870
success 0 0
1619921396.234001
__exception__
stacktrace: 
0x5a21e0a
0x43ff9d1
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3074048
registers.edi: 3074108
registers.eax: 0
registers.ebp: 3074124
registers.edx: 37685332
registers.ebx: 38134932
registers.esi: 374797811
registers.ecx: 0
exception.instruction_r: 39 09 e8 78 c3 3a 6c 89 45 b8 33 d2 89 55 dc e9
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5a400c5
success 0 0
1619921396.359001
__exception__
stacktrace: 
0x5a222c1
0x43ff9d1
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3074068
registers.edi: 1828085760
registers.eax: 3
registers.ebp: 3074124
registers.edx: 0
registers.ebx: 38134932
registers.esi: 39773968
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 2c ff 50 14 39 00 89 45 c8 b8 87 6d
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5a40dae
success 0 0
1619921396.562001
__exception__
stacktrace: 
0x43ff9d1
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752955ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75517f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75514de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3074132
registers.edi: 38135460
registers.eax: 0
registers.ebp: 3075612
registers.edx: 10
registers.ebx: 38134932
registers.esi: 1951542685
registers.ecx: 15
exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 8b 95 cc fa ff ff
exception.instruction: cmp dword ptr [eax + 4], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5a22426
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 174 个事件)
Time & API Arguments Status Return Repeated
1619910847.691234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00770000
success 0 0
1619910847.691234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b0000
success 0 0
1619910847.879234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x022a0000
success 0 0
1619910847.879234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02460000
success 0 0
1619910847.941234
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619910848.004234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00770000
success 0 0
1619910848.004234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00840000
success 0 0
1619910848.019234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0055a000
success 0 0
1619910848.019234
NtProtectVirtualMemory
process_identifier: 912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619910848.019234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00552000
success 0 0
1619910848.176234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00562000
success 0 0
1619910848.254234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00585000
success 0 0
1619910848.254234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058b000
success 0 0
1619910848.254234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00587000
success 0 0
1619910848.347234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00563000
success 0 0
1619910848.379234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056c000
success 0 0
1619910848.769234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00564000
success 0 0
1619910848.785234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00566000
success 0 0
1619910848.879234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00680000
success 0 0
1619910848.972234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00567000
success 0 0
1619910849.004234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057a000
success 0 0
1619910849.004234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00577000
success 0 0
1619910849.129234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00576000
success 0 0
1619910849.176234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00681000
success 0 0
1619910849.504234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0056a000
success 0 0
1619910849.660234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00568000
success 0 0
1619910849.691234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00683000
success 0 0
1619910849.801234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02461000
success 0 0
1619910849.941234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00569000
success 0 0
1619910849.988234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00890000
success 0 0
1619910849.988234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00891000
success 0 0
1619910850.035234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00841000
success 0 0
1619910850.035234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00842000
success 0 0
1619910850.051234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00843000
success 0 0
1619910850.051234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00844000
success 0 0
1619910850.051234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00845000
success 0 0
1619910850.051234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00848000
success 0 0
1619910850.051234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0084c000
success 0 0
1619910850.051234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0085d000
success 0 0
1619910850.051234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0085f000
success 0 0
1619910850.066234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00892000
success 0 0
1619910850.113234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00684000
success 0 0
1619910850.113234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00860000
success 0 0
1619910850.129234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00861000
success 0 0
1619910850.144234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00685000
success 0 0
1619910850.207234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00893000
success 0 0
1619910850.222234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00686000
success 0 0
1619910850.363234
NtAllocateVirtualMemory
process_identifier: 912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00687000
success 0 0
1619921348.906001
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00890000
success 0 0
1619921348.906001
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009c0000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619921396.718001
CreateProcessInternalW
thread_identifier: 1948
thread_handle: 0x0000041c
process_identifier: 1320
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000430
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.669195027282799 section {'size_of_data': '0x00074a00', 'virtual_address': '0x00002000', 'entropy': 7.669195027282799, 'name': '.text', 'virtual_size': '0x00074954'} description A section with a high entropy has been found
entropy 0.9957310565635006 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619921349.828001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619921357.875001
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 912
process_handle: 0x00000238
failed 0 0
1619921357.875001
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 912
process_handle: 0x00000238
success 0 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline "netsh" wlan show profile
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619910850.457234
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000022c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description d35e77616c34c301b5cb652c84b2d6f6.exe tried to sleep 2728266 seconds, actually delayed analysis time by 2728266 seconds
Harvests credentials from local FTP client softwares (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÛ¦°^à  ®®Ì à@  @…`ÌKà0  H.text´¬ ® `.rsrc0à°@@.reloc ¶@B
process_handle: 0x0000022c
base_address: 0x00400000
success 1 0
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer:  €P€8€€h€ à¤Dãê¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h$InternalNameYCORLepAtdAEpMrHCbBbMERMyFQwbkD.exe(LegalCopyright p$OriginalFilenameYCORLepAtdAEpMrHCbBbMERMyFQwbkD.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000022c
base_address: 0x0044e000
success 1 0
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer: À °<
process_handle: 0x0000022c
base_address: 0x00450000
success 1 0
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer: @
process_handle: 0x0000022c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÛ¦°^à  ®®Ì à@  @…`ÌKà0  H.text´¬ ® `.rsrc0à°@@.reloc ¶@B
process_handle: 0x0000022c
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 912 called NtSetContextThread to modify thread in remote process 2452
Time & API Arguments Status Return Repeated
1619910850.472234
NtSetContextThread
thread_handle: 0x00000228
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4508846
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2452
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 912 resumed a thread in remote process 2452
Time & API Arguments Status Return Repeated
1619910850.738234
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2452
success 0 0
Executed a process and injected code into it, probably while unpacking (24 个事件)
Time & API Arguments Status Return Repeated
1619910848.004234
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 912
success 0 0
1619910848.019234
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 912
success 0 0
1619910848.035234
NtResumeThread
thread_handle: 0x00000164
suspend_count: 1
process_identifier: 912
success 0 0
1619910850.457234
CreateProcessInternalW
thread_identifier: 1436
thread_handle: 0x00000228
process_identifier: 2452
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d35e77616c34c301b5cb652c84b2d6f6.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d35e77616c34c301b5cb652c84b2d6f6.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000022c
inherit_handles: 0
success 1 0
1619910850.457234
NtGetContextThread
thread_handle: 0x00000228
success 0 0
1619910850.457234
NtAllocateVirtualMemory
process_identifier: 2452
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000022c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÛ¦°^à  ®®Ì à@  @…`ÌKà0  H.text´¬ ® `.rsrc0à°@@.reloc ¶@B
process_handle: 0x0000022c
base_address: 0x00400000
success 1 0
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer:
process_handle: 0x0000022c
base_address: 0x00402000
success 1 0
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer:  €P€8€€h€ à¤Dãê¤4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h$InternalNameYCORLepAtdAEpMrHCbBbMERMyFQwbkD.exe(LegalCopyright p$OriginalFilenameYCORLepAtdAEpMrHCbBbMERMyFQwbkD.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
process_handle: 0x0000022c
base_address: 0x0044e000
success 1 0
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer: À °<
process_handle: 0x0000022c
base_address: 0x00450000
success 1 0
1619910850.472234
WriteProcessMemory
process_identifier: 2452
buffer: @
process_handle: 0x0000022c
base_address: 0x7efde008
success 1 0
1619910850.472234
NtSetContextThread
thread_handle: 0x00000228
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4508846
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2452
success 0 0
1619910850.738234
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2452
success 0 0
1619921348.968001
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2452
success 0 0
1619921349.000001
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2452
success 0 0
1619921349.062001
NtResumeThread
thread_handle: 0x000001a0
suspend_count: 1
process_identifier: 2452
success 0 0
1619921360.109001
NtResumeThread
thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 2452
success 0 0
1619921360.140001
NtResumeThread
thread_handle: 0x00000318
suspend_count: 1
process_identifier: 2452
success 0 0
1619921361.750001
NtResumeThread
thread_handle: 0x00000374
suspend_count: 1
process_identifier: 2452
success 0 0
1619921367.953001
NtResumeThread
thread_handle: 0x000003c0
suspend_count: 1
process_identifier: 2452
success 0 0
1619921396.718001
CreateProcessInternalW
thread_identifier: 1948
thread_handle: 0x0000041c
process_identifier: 1320
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000430
inherit_handles: 1
success 1 0
1619921401.968001
NtResumeThread
thread_handle: 0x0000043c
suspend_count: 1
process_identifier: 2452
success 0 0
1619921402.031001
NtResumeThread
thread_handle: 0x00000454
suspend_count: 1
process_identifier: 2452
success 0 0
1619921397.922501
NtResumeThread
thread_handle: 0x0000022c
suspend_count: 1
process_identifier: 1320
success 0 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
MicroWorld-eScan Trojan.GenericKD.33818266
CAT-QuickHeal Trojan.Multi
ALYac Trojan.GenericKD.33818266
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2018356
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Kryptik.ali2000016
K7GW Riskware ( 0040eff71 )
Cybereason malicious.131c4b
Arcabit Trojan.Generic.D204069A
Invincea heuristic
Cyren W32/MSIL_Kryptik.ARY.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.MSIL.AveMaria.gen
BitDefender Trojan.GenericKD.33818266
NANO-Antivirus Trojan.Win32.KillProc2.hkbuhj
ViRobot Trojan.Win32.Z.Agent.480256.AR
Avast Win32:PWSX-gen [Trj]
Tencent Msil.Trojan-spy.Avemaria.Wpji
Ad-Aware Trojan.GenericKD.33818266
Sophos Mal/Generic-S
Comodo Malware@#3gbi1nf7nyqvz
DrWeb Trojan.KillProc2.10384
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.NEGASTEAL.THEAEBO
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
FireEye Generic.mg.d35e77616c34c301
Emsisoft Trojan.GenericKD.33818266 (B)
SentinelOne DFI - Malicious PE
F-Prot W32/MSIL_Kryptik.ARY.gen!Eldorado
Jiangmin TrojanSpy.MSIL.apvq
MAX malware (ai score=80)
Antiy-AVL Trojan[Spy]/MSIL.AveMaria
Microsoft TrojanSpy:MSIL/AgentTesla.AP!MTB
Endgame malicious (high confidence)
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan-Spy.MSIL.AveMaria.gen
GData Trojan.GenericKD.33818266
AhnLab-V3 Malware/Win32.RL_Generic.C4093600
McAfee Trojan-FSHN!D35E77616C34
VBA32 TScope.Trojan.MSIL
Malwarebytes Trojan.MalPack
ESET-NOD32 a variant of MSIL/Kryptik.VVH
TrendMicro-HouseCall TrojanSpy.Win32.NEGASTEAL.THEAEBO
Rising Spyware.AveMaria!8.108C2 (CLOUD)
Yandex Trojan.Igent.bTH9J0.15
Ikarus Trojan.MSIL.Inject
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-11 04:03:49

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.