14.2
0-day
55 个模型检测该样本为恶意!
重新分析
更多

0fc69a331beb9b0659e9d4721c885c82f94659f51495666b7d1d7f5de6ba5054

d3af95eb473b2b8a07df7579e6e4f40b.exe

分析耗时

79s

最近分析

文件大小

484.5KB
静态报毒 动态报毒 AGENSLA AGENTTESLA AI SCORE=80 ATTRIBUTE BASIC CONFIDENCE ELDORADO EM0@A0BEQBB FAREIT FCSU FXKCM HEAPOVERRIDE HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK M3PJYANNFUM MALICIOUS PE MALWARE@#LFUGJR8MGXLQ NANOCORE PWSX QQPASS QQROB R06EC0DIA20 SCORE SIGGEN2 STATIC AI SUSGEN UNSAFE WRGP YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanSpy:MSIL/AgentTesla.03f77013 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Tencent Msil.Trojan-qqpass.Qqrob.Wrgp 20201211 1.0.0.1
Kingsoft 20201211 2017.9.26.565
McAfee PWS-FCSU!D3AF95EB473B 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1619926855.4055
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619926856.5625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619926858.3275
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619926873.4215
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619910851.577053
IsDebuggerPresent
failed 0 0
1619926854.4375
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619910852.155053
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (8 个事件)
Time & API Arguments Status Return Repeated
1619926858.2965
__exception__
stacktrace: 
0x80033d
0x22ef94a
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x73f493cb
CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x73f4940c
CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x73f49479
CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x73f52723
CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x73f52606
CoUninitializeEE-0x1b6a7 mscorwks+0xfd15 @ 0x73f3fd15
CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x73f40033
0x89083e
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4122180
registers.edi: 4122208
registers.eax: 0
registers.ebp: 4122224
registers.edx: 158
registers.ebx: 4122388
registers.esi: 41570240
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 1a 58 41 16 e9 6a ff
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8006fd
success 0 0
1619926873.5935
__exception__
stacktrace: 
0x806832
0x80661d
0x803139
0x801ef6
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4122464
registers.edi: 42032716
registers.eax: 0
registers.ebp: 4122568
registers.edx: 42032684
registers.ebx: 0
registers.esi: 42033184
registers.ecx: 42033184
exception.instruction_r: 8b 40 04 89 45 e8 33 d2 89 55 ec b8 5c c3 db 4c
exception.instruction: mov eax, dword ptr [eax + 4]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x80da4c
success 0 0
1619926874.8595
__exception__
stacktrace: 
0x80470e
0x801ef6
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4122640
registers.edi: 42969760
registers.eax: 0
registers.ebp: 4122708
registers.edx: 42974212
registers.ebx: 42935652
registers.esi: 308770193
registers.ecx: 1911774966
exception.instruction_r: 39 00 68 ff ff ff 7f 6a 00 8b 4d c8 e8 82 aa dd
exception.instruction: cmp dword ptr [eax], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x53296ed
success 0 0
1619926874.9845
__exception__
stacktrace: 
0x804978
0x801ef6
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4122632
registers.edi: 4122692
registers.eax: 0
registers.ebp: 4122708
registers.edx: 4122600
registers.ebx: 42637548
registers.esi: 43029508
registers.ecx: 0
exception.instruction_r: 39 09 e8 62 91 d3 6c 89 45 b8 b8 e7 e1 a6 55 b9
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x532b6bf
success 0 0
1619926874.9845
__exception__
stacktrace: 
0x804b78
0x801ef6
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4122652
registers.edi: 4122692
registers.eax: 3
registers.ebp: 4122708
registers.edx: 0
registers.ebx: 42637548
registers.esi: 43037532
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 b8 28 91 58 c8 eb
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x532bc2f
success 0 0
1619926875.1405
__exception__
stacktrace: 
0x801ef6
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4122716
registers.edi: 0
registers.eax: 0
registers.ebp: 4124068
registers.edx: 7
registers.ebx: 42637548
registers.esi: 292835263
registers.ecx: 12
exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 d8 fa ff ff
exception.instruction: cmp dword ptr [eax + 8], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x804a8d
success 0 0
1619926875.1555
__exception__
stacktrace: 
0x8050d8
0x801ef6
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4122592
registers.edi: 0
registers.eax: 37639809
registers.ebp: 4122708
registers.edx: 1
registers.ebx: 43113348
registers.esi: 940995226
registers.ecx: 0
exception.instruction_r: 39 09 e8 81 79 d3 6c 83 78 04 00 0f 84 e0 03 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x532cea0
success 0 0
1619926876.1715
__exception__
stacktrace: 
_vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31
IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141
OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d
ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db
DllRegisterServerInternal+0x3df02 GetPrivateContextsPerfCounters-0x19797 mscorwks+0x94168 @ 0x73fc4168
0x47ad7a
system+0x7a24ea @ 0x71aa24ea
system+0x7a30b4 @ 0x71aa30b4
system+0x7a2c0a @ 0x71aa2c0a
system+0x7a0de4 @ 0x71aa0de4
system+0x79e6da @ 0x71a9e6da
system+0x79f065 @ 0x71a9f065
microsoft+0x12fb46 @ 0x7467fb46
0x800b44
system+0x1f84fa @ 0x714f84fa
0x891554
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
0x532ddac
0x801f7d
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4122652
registers.edi: 6881280
registers.eax: 4294967288
registers.ebp: 4122696
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 6881280
exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84
exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58
exception.instruction: cmp byte ptr [eax + 7], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 499288
exception.address: 0x77da9e58
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 139 个事件)
Time & API Arguments Status Return Repeated
1619910850.561053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00880000
success 0 0
1619910850.561053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a40000
success 0 0
1619910851.358053
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619910851.577053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0048a000
success 0 0
1619910851.577053
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619910851.577053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00482000
success 0 0
1619910851.843053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a2000
success 0 0
1619910851.968053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a3000
success 0 0
1619910851.983053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004db000
success 0 0
1619910851.983053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d7000
success 0 0
1619910852.015053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ac000
success 0 0
1619910852.093053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f80000
success 0 0
1619910852.124053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f81000
success 0 0
1619910852.140053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f82000
success 0 0
1619910852.140053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f83000
success 0 0
1619910852.171053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f84000
success 0 0
1619910852.186053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a4000
success 0 0
1619910852.593053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a5000
success 0 0
1619910852.608053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a6000
success 0 0
1619910852.671053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a7000
success 0 0
1619910852.780053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ba000
success 0 0
1619910852.780053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b7000
success 0 0
1619910852.796053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ca000
success 0 0
1619910852.811053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0048b000
success 0 0
1619910852.827053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a8000
success 0 0
1619910852.843053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004a9000
success 0 0
1619910852.843053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f85000
success 0 0
1619910852.843053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e90000
success 0 0
1619910852.874053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b6000
success 0 0
1619910852.874053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f87000
success 0 0
1619910853.265053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f88000
success 0 0
1619910853.280053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f00000
success 0 0
1619910853.296053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e91000
success 0 0
1619910853.296053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ad000
success 0 0
1619910853.296053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f89000
success 0 0
1619910853.311053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e92000
success 0 0
1619910853.327053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f8a000
success 0 0
1619910853.343053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f8b000
success 0 0
1619910853.343053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004aa000
success 0 0
1619910853.358053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f8c000
success 0 0
1619910853.358053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f8d000
success 0 0
1619910853.421053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a41000
success 0 0
1619910853.561053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f8e000
success 0 0
1619910853.593053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004c2000
success 0 0
1619910853.655053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d5000
success 0 0
1619910853.843053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f8f000
success 0 0
1619910853.983053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e93000
success 0 0
1619910854.108053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x046d0000
success 0 0
1619910854.108053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04d70000
success 0 0
1619910854.108053
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04dd0000
success 0 0
Steals private information from local Internet browsers (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619926873.4685
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmpG468.tmp
newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\\tmpG468.tmp
flags: 8
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.729368834619169 section {'size_of_data': '0x00078600', 'virtual_address': '0x00002000', 'entropy': 7.729368834619169, 'name': '.text', 'virtual_size': '0x00078414'} description A section with a high entropy has been found
entropy 0.9948347107438017 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619910854.483053
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619926873.4215
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (8 个事件)
Time & API Arguments Status Return Repeated
1619910854.718053
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2244
process_handle: 0x00000288
failed 0 0
1619910854.718053
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2244
process_handle: 0x00000288
success 0 0
1619910855.046053
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2420
process_handle: 0x00000294
failed 0 0
1619910855.046053
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2420
process_handle: 0x00000294
success 0 0
1619910855.452053
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2528
process_handle: 0x0000029c
failed 0 0
1619910855.452053
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2528
process_handle: 0x0000029c
success 0 0
1619910855.811053
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2228
process_handle: 0x000002a4
failed 0 0
1619910855.811053
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2228
process_handle: 0x000002a4
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619910854.452053
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000022c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910854.827053
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000028c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910855.140053
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000290
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910855.561053
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000298
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910855.905053
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619926875.9995
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description d3af95eb473b2b8a07df7579e6e4f40b.exe tried to sleep 2729459 seconds, actually delayed analysis time by 2729459 seconds
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MyApp reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\MyApp\MyApp.exe
Harvests credentials from local FTP client softwares (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Manipulates memory of a non-child process indicative of process injection (8 个事件)
Process injection Process 3000 manipulating memory of non-child process 2244
Process injection Process 3000 manipulating memory of non-child process 2420
Process injection Process 3000 manipulating memory of non-child process 2528
Process injection Process 3000 manipulating memory of non-child process 2228
Time & API Arguments Status Return Repeated
1619910854.452053
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000022c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910854.827053
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000028c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910855.140053
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000290
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910855.561053
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000298
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619910855.905053
WriteProcessMemory
process_identifier: 1068
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL–* ]à \Žz €@ À@…<zO€p   H.text”Z \ `.rsrcp€^@@.reloc  b@B
process_handle: 0x000002a0
base_address: 0x00400000
success 1 0
1619910855.921053
WriteProcessMemory
process_identifier: 1068
buffer: €0€HX€4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°tStringFileInfoP000004b0,FileDescription 0FileVersion0.0.0.0 ?InternalNameEDFRYZKNGUOWPQXINKFSPTWALSFVHVDTAHANXCGJ_20190619152910746.exe(LegalCopyright ¨?OriginalFilenameEDFRYZKNGUOWPQXINKFSPTWALSFVHVDTAHANXCGJ_20190619152910746.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000002a0
base_address: 0x00448000
success 1 0
1619910855.921053
WriteProcessMemory
process_identifier: 1068
buffer: p :
process_handle: 0x000002a0
base_address: 0x0044a000
success 1 0
1619910855.921053
WriteProcessMemory
process_identifier: 1068
buffer: @
process_handle: 0x000002a0
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619910855.905053
WriteProcessMemory
process_identifier: 1068
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL–* ]à \Žz €@ À@…<zO€p   H.text”Z \ `.rsrcp€^@@.reloc  b@B
process_handle: 0x000002a0
base_address: 0x00400000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619926876.1555
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x00892872
module_address: 0x00400000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 196775 0
Harvests credentials from local email clients (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 3000 called NtSetContextThread to modify thread in remote process 1068
Time & API Arguments Status Return Repeated
1619910855.921053
NtSetContextThread
thread_handle: 0x000002a4
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4487822
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1068
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 3000 resumed a thread in remote process 1068
Time & API Arguments Status Return Repeated
1619910856.140053
NtResumeThread
thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 1068
success 0 0
Executed a process and injected code into it, probably while unpacking (32 个事件)
Time & API Arguments Status Return Repeated
1619910851.577053
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 3000
success 0 0
1619910851.671053
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 3000
success 0 0
1619910854.452053
CreateProcessInternalW
thread_identifier: 2240
thread_handle: 0x00000228
process_identifier: 2244
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000022c
inherit_handles: 0
success 1 0
1619910854.452053
NtGetContextThread
thread_handle: 0x00000228
success 0 0
1619910854.452053
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000022c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910854.827053
CreateProcessInternalW
thread_identifier: 2296
thread_handle: 0x00000288
process_identifier: 2420
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000028c
inherit_handles: 0
success 1 0
1619910854.827053
NtGetContextThread
thread_handle: 0x00000288
success 0 0
1619910854.827053
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000028c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910855.140053
CreateProcessInternalW
thread_identifier: 2544
thread_handle: 0x00000294
process_identifier: 2528
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000290
inherit_handles: 0
success 1 0
1619910855.140053
NtGetContextThread
thread_handle: 0x00000294
success 0 0
1619910855.140053
NtAllocateVirtualMemory
process_identifier: 2528
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000290
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910855.561053
CreateProcessInternalW
thread_identifier: 2252
thread_handle: 0x0000029c
process_identifier: 2228
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000298
inherit_handles: 0
success 1 0
1619910855.561053
NtGetContextThread
thread_handle: 0x0000029c
success 0 0
1619910855.561053
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000298
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910855.905053
CreateProcessInternalW
thread_identifier: 192
thread_handle: 0x000002a4
process_identifier: 1068
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d3af95eb473b2b8a07df7579e6e4f40b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000002a0
inherit_handles: 0
success 1 0
1619910855.905053
NtGetContextThread
thread_handle: 0x000002a4
success 0 0
1619910855.905053
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619910855.905053
WriteProcessMemory
process_identifier: 1068
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL–* ]à \Žz €@ À@…<zO€p   H.text”Z \ `.rsrcp€^@@.reloc  b@B
process_handle: 0x000002a0
base_address: 0x00400000
success 1 0
1619910855.921053
WriteProcessMemory
process_identifier: 1068
buffer:
process_handle: 0x000002a0
base_address: 0x00402000
success 1 0
1619910855.921053
WriteProcessMemory
process_identifier: 1068
buffer: €0€HX€4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°tStringFileInfoP000004b0,FileDescription 0FileVersion0.0.0.0 ?InternalNameEDFRYZKNGUOWPQXINKFSPTWALSFVHVDTAHANXCGJ_20190619152910746.exe(LegalCopyright ¨?OriginalFilenameEDFRYZKNGUOWPQXINKFSPTWALSFVHVDTAHANXCGJ_20190619152910746.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000002a0
base_address: 0x00448000
success 1 0
1619910855.921053
WriteProcessMemory
process_identifier: 1068
buffer: p :
process_handle: 0x000002a0
base_address: 0x0044a000
success 1 0
1619910855.921053
WriteProcessMemory
process_identifier: 1068
buffer: @
process_handle: 0x000002a0
base_address: 0x7efde008
success 1 0
1619910855.921053
NtSetContextThread
thread_handle: 0x000002a4
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4487822
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1068
success 0 0
1619910856.140053
NtResumeThread
thread_handle: 0x000002a4
suspend_count: 1
process_identifier: 1068
success 0 0
1619926854.4375
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1068
success 0 0
1619926854.4685
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 1068
success 0 0
1619926856.4375
NtResumeThread
thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 1068
success 0 0
1619926856.4845
NtResumeThread
thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 1068
success 0 0
1619926873.4845
NtResumeThread
thread_handle: 0x00000364
suspend_count: 1
process_identifier: 1068
success 0 0
1619926873.4995
NtResumeThread
thread_handle: 0x000003ac
suspend_count: 1
process_identifier: 1068
success 0 0
1619926874.4995
NtResumeThread
thread_handle: 0x00000484
suspend_count: 1
process_identifier: 1068
success 0 0
1619926875.4995
NtResumeThread
thread_handle: 0x000004a4
suspend_count: 1
process_identifier: 1068
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.MSIL.Basic.2.Gen
FireEye Generic.mg.d3af95eb473b2b8a
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
Qihoo-360 Generic/Trojan.PSW.374
ALYac Trojan.MSIL.Basic.2.Gen
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 005676f61 )
Alibaba TrojanSpy:MSIL/AgentTesla.03f77013
K7GW Trojan ( 005676f61 )
Arcabit Trojan.MSIL.Basic.2.Gen
Cyren W32/MSIL_Kryptik.ATF.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Packed.Nanocore-8176540-0
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.MSIL.Basic.2.Gen
Paloalto generic.ml
AegisLab Trojan.Win32.Generic.4!c
Tencent Msil.Trojan-qqpass.Qqrob.Wrgp
Ad-Aware Trojan.MSIL.Basic.2.Gen
Emsisoft Trojan.MSIL.Basic.2.Gen (B)
Comodo Malware@#lfugjr8mgxlq
F-Secure Trojan.TR/AD.AgentTesla.fxkcm
DrWeb Trojan.PWS.Siggen2.49432
Zillya Trojan.Kryptik.Win32.2040004
TrendMicro TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition BehavesLike.Win32.Fareit.gc
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Avira TR/AD.AgentTesla.fxkcm
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft TrojanSpy:MSIL/AgentTesla.RA!MTB
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.MSIL.Basic.2.Gen
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.AgentTesla.C4109788
McAfee PWS-FCSU!D3AF95EB473B
MAX malware (ai score=80)
VBA32 CIL.HeapOverride.Heur
Malwarebytes Spyware.AgentTesla
Zoner Trojan.Win32.89728
ESET-NOD32 a variant of MSIL/Kryptik.WBA
TrendMicro-HouseCall TROJ_GEN.R06EC0DIA20
Yandex Trojan.Kryptik!m3PjyanNfUM
Ikarus Trojan.Inject
Fortinet MSIL/Kryptik.WBA!tr
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-26 13:13:50

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.