SmartHawk

17.0

0-day

48 个模型检测该样本为恶意！

重新分析

下载样本

d286b259d2a986d300bffff49e6047c2e48af4d85e6936703e7b167266fdcc63

db13f973a6e611c1c751d74528bac914.exe

分析耗时

131s

最近分析

文件大小

737.5KB

静态报毒动态报毒 100% AGEN AI SCORE=84 ALI2000016 ARTEMIS ATTRIBUTE CASDET CONFIDENCE ELDORADO EPCU GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE HPPKON KCLOUD KRYPTIK MALICIOUS PE MALWARE@#2ERO1XDESAM08 PGEN QVM03 SCORE SIGGEN10 SPYGATE STATIC AI SUSGEN UM0@AUBV7JN UNSAFE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!DB13F973A6E6	20201211	6.0.6.653
Alibaba	Trojan:Win32/Kryptik.ali2000016	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:Trojan-gen	20201210	21.1.5827.0
Kingsoft	Win32.Hack.Undef.(kcloud)	20201211	2017.9.26.565
Tencent		20201211	1.0.0.1

Queries for the computername (32 个事件)

Time & API	Arguments	Status	Return
1619967013.91925 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967014.38725 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967014.41925 GetComputerNameW	computer_name:	failed	0
1619967014.41925 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967015.10625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967015.60625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967018.27825 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619967018.27825 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967018.48125 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619967022.528125 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967060.606502 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967061.497502 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967061.887502 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967062.137502 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967085.700502 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619967085.700502 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967029.559875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967030.950875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967030.966875 GetComputerNameW	computer_name:	failed	0
1619967030.966875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967035.591875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967047.231875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967057.044875 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619967062.247875 GetComputerNameW	computer_name:	failed	0
1619967062.247875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967065.809875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967075.51225 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967076.15325 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967076.40325 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967076.46625 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619967094.37225 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619967094.37225 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (14 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948416.388017 IsDebuggerPresent		failed	0	0
1619948416.388017 IsDebuggerPresent		failed	0	0
1619967012.27825 IsDebuggerPresent		failed	0	0
1619967012.27825 IsDebuggerPresent		failed	0	0
1619967014.731875 IsDebuggerPresent		failed	0	0
1619967014.747875 IsDebuggerPresent		failed	0	0
1619967023.825627 IsDebuggerPresent		failed	0	0
1619967023.841627 IsDebuggerPresent		failed	0	0
1619967064.512502 IsDebuggerPresent		failed	0	0
1619967027.762875 IsDebuggerPresent		failed	0	0
1619967027.762875 IsDebuggerPresent		failed	0	0
1619967031.60675 IsDebuggerPresent		failed	0	0
1619967031.62275 IsDebuggerPresent		failed	0	0
1619967077.49725 IsDebuggerPresent		failed	0	0

Command line console output was observed (20 个事件)

Time & API	Arguments	Status	Return
1619967024.731125 WriteConsoleW	buffer: 成功: 成功创建计划任务 "edfefeffe"。 console_handle: 0x00000007	success	1
1619967094.403502 WriteConsoleW	buffer: Remove-ItemProperty : 路径 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current console_handle: 0x0000000000000023	success	1
1619967094.450502 WriteConsoleW	buffer: Version\Run 处不存在属性 Chrome.exe。 console_handle: 0x000000000000002f	success	1
1619967094.466502 WriteConsoleW	buffer: 所在位置行:1 字符: 20 console_handle: 0x000000000000003b	success	1
1619967094.466502 WriteConsoleW	buffer: + Remove-ItemProperty <<<< -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVers console_handle: 0x0000000000000047	success	1
1619967094.497502 WriteConsoleW	buffer: ion\Run' -Name 'Chrome.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Wi console_handle: 0x0000000000000053	success	1
1619967094.512502 WriteConsoleW	buffer: ndows\CurrentVersion\Run' -Name 'Chrome.exe' -Value 'C:\Users\Administrator.Osk console_handle: 0x000000000000005f	success	1
1619967094.544502 WriteConsoleW	buffer: ar-PC\AppData\Roaming\Temp\Chrome.exe' -PropertyType 'String' console_handle: 0x000000000000006b	success	1
1619967094.544502 WriteConsoleW	buffer: + CategoryInfo : InvalidArgument: (Chrome.exe:String) [Remove-Ite console_handle: 0x0000000000000077	success	1
1619967094.575502 WriteConsoleW	buffer: mProperty], PSArgumentException console_handle: 0x0000000000000083	success	1
1619967094.591502 WriteConsoleW	buffer: + FullyQualifiedErrorId : System.Management.Automation.PSArgumentException console_handle: 0x000000000000008f	success	1
1619967094.637502 WriteConsoleW	buffer: ,Microsoft.PowerShell.Commands.RemoveItemPropertyCommand console_handle: 0x000000000000009b	success	1
1619967097.809502 WriteConsoleW	buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\M console_handle: 0x000000000000001f	success	1
1619967097.825502 WriteConsoleW	buffer: icrosoft\Windows\CurrentVersion\Run console_handle: 0x0000000000000023	success	1
1619967097.841502 WriteConsoleW	buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\M console_handle: 0x0000000000000027	success	1
1619967097.856502 WriteConsoleW	buffer: icrosoft\Windows\CurrentVersion console_handle: 0x000000000000002b	success	1
1619967097.872502 WriteConsoleW	buffer: PSChildName : Run console_handle: 0x000000000000002f	success	1
1619967097.872502 WriteConsoleW	buffer: PSDrive : HKCU console_handle: 0x0000000000000033	success	1
1619967097.872502 WriteConsoleW	buffer: PSProvider : Microsoft.PowerShell.Core\Registry console_handle: 0x0000000000000037	success	1
1619967097.887502 WriteConsoleW	buffer: Chrome.exe : C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\Chrome.exe console_handle: 0x000000000000003b	success	1

Uses Windows APIs to generate a cryptographic key (50 out of 124 个事件)

Time & API	Arguments	Status	Return
1619967067.872502 CryptExportKey	crypto_handle: 0x00000000003d9910 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967072.622502 CryptExportKey	crypto_handle: 0x000000001b85ed60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967072.622502 CryptExportKey	crypto_handle: 0x000000001b85ed60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967072.637502 CryptExportKey	crypto_handle: 0x000000001b85ed60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967073.231502 CryptExportKey	crypto_handle: 0x000000001b85ed60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967073.247502 CryptExportKey	crypto_handle: 0x000000001b85ed60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967073.278502 CryptExportKey	crypto_handle: 0x000000001b85ed60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967073.466502 CryptExportKey	crypto_handle: 0x000000001b85ed60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967073.559502 CryptExportKey	crypto_handle: 0x000000001b85f000 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967073.559502 CryptExportKey	crypto_handle: 0x000000001b85f000 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967074.309502 CryptExportKey	crypto_handle: 0x000000001b85f070 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967074.309502 CryptExportKey	crypto_handle: 0x000000001b85f070 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967074.325502 CryptExportKey	crypto_handle: 0x000000001b85f070 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967074.325502 CryptExportKey	crypto_handle: 0x000000001b85f070 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967076.341502 CryptExportKey	crypto_handle: 0x000000001b85f310 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967076.356502 CryptExportKey	crypto_handle: 0x000000001b85f310 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967076.372502 CryptExportKey	crypto_handle: 0x000000001b85f310 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967076.841502 CryptExportKey	crypto_handle: 0x000000001b85f310 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967076.856502 CryptExportKey	crypto_handle: 0x000000001b85f310 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967076.934502 CryptExportKey	crypto_handle: 0x000000001b85f310 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967077.387502 CryptExportKey	crypto_handle: 0x000000001b85f310 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.591502 CryptExportKey	crypto_handle: 0x000000001b85f850 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.606502 CryptExportKey	crypto_handle: 0x000000001b85f850 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.622502 CryptExportKey	crypto_handle: 0x000000001b85f850 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.637502 CryptExportKey	crypto_handle: 0x000000001b85f8c0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.669502 CryptExportKey	crypto_handle: 0x000000001b85f8c0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.700502 CryptExportKey	crypto_handle: 0x000000001b85f8c0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.716502 CryptExportKey	crypto_handle: 0x000000001b85f8c0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.731502 CryptExportKey	crypto_handle: 0x000000001b85f8c0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.747502 CryptExportKey	crypto_handle: 0x000000001b85f9a0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.762502 CryptExportKey	crypto_handle: 0x000000001b85f9a0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967081.762502 CryptExportKey	crypto_handle: 0x000000001b85f9a0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967082.653502 CryptExportKey	crypto_handle: 0x000000001b85f9a0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967082.669502 CryptExportKey	crypto_handle: 0x000000001b85f9a0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967084.231502 CryptExportKey	crypto_handle: 0x000000001b85fa80 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967084.247502 CryptExportKey	crypto_handle: 0x000000001b85fa80 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967084.262502 CryptExportKey	crypto_handle: 0x000000001b85fa80 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967084.419502 CryptExportKey	crypto_handle: 0x000000001b85fa80 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967084.434502 CryptExportKey	crypto_handle: 0x000000001b85fa80 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967084.450502 CryptExportKey	crypto_handle: 0x000000001b85fa80 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967084.622502 CryptExportKey	crypto_handle: 0x000000001b85fa80 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967085.091502 CryptExportKey	crypto_handle: 0x000000001b85fb60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967085.106502 CryptExportKey	crypto_handle: 0x000000001b85fb60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967085.903502 CryptExportKey	crypto_handle: 0x000000001b85f070 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967085.903502 CryptExportKey	crypto_handle: 0x000000001b85f070 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967085.934502 CryptExportKey	crypto_handle: 0x000000001b85fb60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967085.934502 CryptExportKey	crypto_handle: 0x000000001b85fb60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967085.950502 CryptExportKey	crypto_handle: 0x000000001b85fb60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967086.091502 CryptExportKey	crypto_handle: 0x000000001b85fb60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619967086.091502 CryptExportKey	crypto_handle: 0x000000001b85fb60 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948416.404017 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (3 个事件)

Time & API	Arguments	Status
1619967026.200875 __exception__	stacktrace: RtlLogStackBackTrace+0x890 RtlTraceDatabaseCreate-0xa0 ntdll+0xc7a40 @ 0x77c17a40 RtlGetUserInfoHeap+0x66 RtlCompactHeap-0x31a ntdll+0xed316 @ 0x77c3d316 GlobalSize+0x58 GlobalUnlock-0x118 kernel32+0x4e458 @ 0x77a7e458 OleCreateFromData+0x1f5 CoGetInstanceFromIStorage-0x535b ole32+0x1667d5 @ 0x7feffdb67d5 OleCreateFromData+0x4cc CoGetInstanceFromIStorage-0x5084 ole32+0x166aac @ 0x7feffdb6aac DllRegisterServerInternal-0x1da9 clr+0x1f37 @ 0x7fef1b41f37 system+0x711edb @ 0x7fef0321edb 0x7ff0014f949 0x7ff0014e871 0x7ff0014e715 0x7ff0014cc87 0x7ff0014c6d1 0x7ff0014c670 mscorlib+0x37181c @ 0x7fef0c3181c mscorlib+0x37172b @ 0x7fef0c3172b mscorlib+0x406f2d @ 0x7fef0cc6f2d CoUninitializeEE+0x3d374 CreateAssemblyNameObject-0x2d7dc clr+0x410b4 @ 0x7fef1b810b4 CoUninitializeEE+0x3d489 CreateAssemblyNameObject-0x2d6c7 clr+0x411c9 @ 0x7fef1b811c9 CoUninitializeEE+0x3d505 CreateAssemblyNameObject-0x2d64b clr+0x41245 @ 0x7fef1b81245 CoUninitializeEE+0x44a50 CreateAssemblyNameObject-0x26100 clr+0x48790 @ 0x7fef1b88790 CopyPDBs+0x2017c ClrCreateManagedInstance-0xc568 clr+0x12e810 @ 0x7fef1c6e810 StrongNameSignatureVerification+0x15906 GetMetaDataPublicInterfaceFromInternal-0x36e7a clr+0xd7096 @ 0x7fef1c17096 StrongNameSignatureVerification+0x1589b GetMetaDataPublicInterfaceFromInternal-0x36ee5 clr+0xd702b @ 0x7fef1c1702b StrongNameSignatureVerification+0x15808 GetMetaDataPublicInterfaceFromInternal-0x36f78 clr+0xd6f98 @ 0x7fef1c16f98 StrongNameSignatureVerification+0x1595f GetMetaDataPublicInterfaceFromInternal-0x36e21 clr+0xd70ef @ 0x7fef1c170ef CopyPDBs+0x1ffcc ClrCreateManagedInstance-0xc718 clr+0x12e660 @ 0x7fef1c6e660 StrongNameErrorInfo+0x18986 _CorDllMain-0x191ba clr+0x2247c6 @ 0x7fef1d647c6 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521 registers.r14: 0 registers.r9: 0 registers.rcx: 4259840 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rdi: 0 registers.r11: 514 registers.r8: 0 registers.rdx: -16 registers.rbp: 0 registers.r15: 0 registers.r12: 0 registers.rsp: 472120992 registers.rax: 472116216 registers.r13: 0 exception.instruction_r: 80 7a 0f 05 75 0b 0f b6 42 0e 48 c1 e0 04 48 2b exception.symbol: RtlLogStackBackTrace+0x890 RtlTraceDatabaseCreate-0xa0 ntdll+0xc7a40 exception.instruction: cmp byte ptr [rdx + 0xf], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 817728 exception.address: 0x77c17a40	success
1619967069.403875 __exception__	stacktrace: 0x62b3e69 0x62b394d system+0x1d02f7 @ 0x708d02f7 system+0x216fb6 @ 0x70916fb6 0x25409e5 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a system+0x232eec @ 0x70932eec system+0x2271ff @ 0x709271ff system+0x226e2c @ 0x70926e2c system+0x226c81 @ 0x70926c81 0x522d85 0x5228c7 0x5209d9 0x5200e5 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3598872 registers.edi: 40793964 registers.eax: 40736980 registers.ebp: 3598964 registers.edx: 13 registers.ebx: 2 registers.esi: 40776004 registers.ecx: 0 exception.instruction_r: 39 09 e8 d7 20 6a 6b 89 45 ac 8b 4d c0 8b 01 8b exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62be582	success
1619967069.419875 __exception__	stacktrace: 0x62be601 0x62b3e69 0x62b394d system+0x1d02f7 @ 0x708d02f7 system+0x216fb6 @ 0x70916fb6 0x25409e5 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a system+0x232eec @ 0x70932eec system+0x2271ff @ 0x709271ff system+0x226e2c @ 0x70926e2c system+0x226c81 @ 0x70926c81 0x522d85 0x5228c7 0x5209d9 0x5200e5 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3594448 registers.edi: 40793964 registers.eax: 40736980 registers.ebp: 3594496 registers.edx: 0 registers.ebx: 2 registers.esi: 40776004 registers.ecx: 0 exception.instruction_r: 39 09 e8 e2 b3 1d 6b 90 90 eb 1e 89 45 d0 8b 4d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x62be66f	success

Time & API

Arguments

Status

Return

Repeated

1619967026.200875
__exception__

stacktrace:

RtlLogStackBackTrace+0x890 RtlTraceDatabaseCreate-0xa0 ntdll+0xc7a40 @ 0x77c17a40
RtlGetUserInfoHeap+0x66 RtlCompactHeap-0x31a ntdll+0xed316 @ 0x77c3d316
GlobalSize+0x58 GlobalUnlock-0x118 kernel32+0x4e458 @ 0x77a7e458
OleCreateFromData+0x1f5 CoGetInstanceFromIStorage-0x535b ole32+0x1667d5 @ 0x7feffdb67d5
OleCreateFromData+0x4cc CoGetInstanceFromIStorage-0x5084 ole32+0x166aac @ 0x7feffdb6aac
DllRegisterServerInternal-0x1da9 clr+0x1f37 @ 0x7fef1b41f37
system+0x711edb @ 0x7fef0321edb
0x7ff0014f949
0x7ff0014e871
0x7ff0014e715
0x7ff0014cc87
0x7ff0014c6d1
0x7ff0014c670
mscorlib+0x37181c @ 0x7fef0c3181c
mscorlib+0x37172b @ 0x7fef0c3172b
mscorlib+0x406f2d @ 0x7fef0cc6f2d
CoUninitializeEE+0x3d374 CreateAssemblyNameObject-0x2d7dc clr+0x410b4 @ 0x7fef1b810b4
CoUninitializeEE+0x3d489 CreateAssemblyNameObject-0x2d6c7 clr+0x411c9 @ 0x7fef1b811c9
CoUninitializeEE+0x3d505 CreateAssemblyNameObject-0x2d64b clr+0x41245 @ 0x7fef1b81245
CoUninitializeEE+0x44a50 CreateAssemblyNameObject-0x26100 clr+0x48790 @ 0x7fef1b88790
CopyPDBs+0x2017c ClrCreateManagedInstance-0xc568 clr+0x12e810 @ 0x7fef1c6e810
StrongNameSignatureVerification+0x15906 GetMetaDataPublicInterfaceFromInternal-0x36e7a clr+0xd7096 @ 0x7fef1c17096
StrongNameSignatureVerification+0x1589b GetMetaDataPublicInterfaceFromInternal-0x36ee5 clr+0xd702b @ 0x7fef1c1702b
StrongNameSignatureVerification+0x15808 GetMetaDataPublicInterfaceFromInternal-0x36f78 clr+0xd6f98 @ 0x7fef1c16f98
StrongNameSignatureVerification+0x1595f GetMetaDataPublicInterfaceFromInternal-0x36e21 clr+0xd70ef @ 0x7fef1c170ef
CopyPDBs+0x1ffcc ClrCreateManagedInstance-0xc718 clr+0x12e660 @ 0x7fef1c6e660
StrongNameErrorInfo+0x18986 _CorDllMain-0x191ba clr+0x2247c6 @ 0x7fef1d647c6
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x77a4652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x77b7c521

registers.r14: 0
registers.r9: 0
registers.rcx: 4259840
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rdi: 0
registers.r11: 514
registers.r8: 0
registers.rdx: -16
registers.rbp: 0
registers.r15: 0
registers.r12: 0
registers.rsp: 472120992
registers.rax: 472116216
registers.r13: 0
exception.instruction_r: 80 7a 0f 05 75 0b 0f b6 42 0e 48 c1 e0 04 48 2b
exception.symbol: RtlLogStackBackTrace+0x890 RtlTraceDatabaseCreate-0xa0 ntdll+0xc7a40
exception.instruction: cmp byte ptr [rdx + 0xf], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 817728
exception.address: 0x77c17a40

success

1619967069.403875
__exception__

stacktrace:

0x62b3e69
0x62b394d
system+0x1d02f7 @ 0x708d02f7
system+0x216fb6 @ 0x70916fb6
0x25409e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a
system+0x232eec @ 0x70932eec
system+0x2271ff @ 0x709271ff
system+0x226e2c @ 0x70926e2c
system+0x226c81 @ 0x70926c81
0x522d85
0x5228c7
0x5209d9
0x5200e5
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3598872
registers.edi: 40793964
registers.eax: 40736980
registers.ebp: 3598964
registers.edx: 13
registers.ebx: 2
registers.esi: 40776004
registers.ecx: 0
exception.instruction_r: 39 09 e8 d7 20 6a 6b 89 45 ac 8b 4d c0 8b 01 8b
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x62be582

success

1619967069.419875
__exception__

stacktrace:

0x62be601
0x62b3e69
0x62b394d
system+0x1d02f7 @ 0x708d02f7
system+0x216fb6 @ 0x70916fb6
0x25409e5
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a
system+0x232eec @ 0x70932eec
system+0x2271ff @ 0x709271ff
system+0x226e2c @ 0x70926e2c
system+0x226c81 @ 0x70926c81
0x522d85
0x5228c7
0x5209d9
0x5200e5
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3594448
registers.edi: 40793964
registers.eax: 40736980
registers.ebp: 3594496
registers.edx: 0
registers.ebx: 2
registers.esi: 40776004
registers.ecx: 0
exception.instruction_r: 39 09 e8 e2 b3 1d 6b 90 90 eb 1e 89 45 d0 8b 4d
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x62be66f

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (6 个事件)

Time & API	Arguments	Status	Return
1619967013.21625 bind	ip_address: 127.0.0.1 socket: 600 port: 0	success	0
1619967013.21625 listen	socket: 600 backlog: 2147483647	success	0
1619967013.29425 accept	ip_address: 127.0.0.1 socket: 600 port: 0	failed	4294967295
1619967028.387875 bind	ip_address: 127.0.0.1 socket: 592 port: 0	success	0
1619967028.387875 listen	socket: 592 backlog: 2147483647	success	0
1619967028.387875 accept	ip_address: 127.0.0.1 socket: 592 port: 0	failed	4294967295

Allocates read-write-execute memory (usually to unpack itself) (50 out of 844 个事件)

Time & API	Arguments	Status
1619948415.763017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00790000	success
1619948415.763017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008f0000	success
1619948416.138017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00390000	success
1619948416.138017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a0000	success
1619948416.216017 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619948416.388017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02140000	success
1619948416.388017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02310000	success
1619948416.388017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003ea000	success
1619948416.388017 NtProtectVirtualMemory	process_identifier: 784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619948416.388017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e2000	success
1619948416.560017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f2000	success
1619948416.654017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00425000	success
1619948416.654017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0042b000	success
1619948416.654017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00427000	success
1619948416.732017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f3000	success
1619948416.779017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f4000	success
1619948416.779017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fc000	success
1619948416.826017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00600000	success
1619948416.857017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00601000	success
1619948416.872017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f5000	success
1619948416.872017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00603000	success
1619948416.888017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00604000	success
1619948416.919017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00605000	success
1619948417.357017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00606000	success
1619948417.529017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f6000	success
1619948417.529017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f7000	success
1619948417.701017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f8000	success
1619948417.763017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00607000	success
1619948418.169017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00608000	success
1619948418.185017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00609000	success
1619948418.201017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f9000	success
1619948418.216017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0061f000	success
1619948418.216017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00610000	success
1619948418.326017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00680000	success
1619948418.326017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060a000	success
1619948418.341017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060b000	success
1619948418.341017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060c000	success
1619948418.341017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060d000	success
1619948418.529017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00681000	success
1619948418.576017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0060e000	success
1619948418.576017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00683000	success
1619948418.622017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04430000	success
1619948418.622017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04431000	success
1619948418.654017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04436000	success
1619948418.669017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04437000	success
1619948419.029017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00684000	success
1619948419.029017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fd000	success
1619948419.044017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fa000	success
1619948419.044017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04438000	success
1619948419.044017 NtAllocateVirtualMemory	process_identifier: 784 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00685000	success

Creates executable files on the filesystem (3 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp98FF.tmp.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\Chrome.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp608A.tmp.exe

Creates hidden or system file (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619967021.93425 SetFileAttributesW	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\Administrator\AppData\fefefeffer.exe filepath: C:\Users\Administrator\AppData\fefefeffer.exe	success	1	0

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 个事件)

cmdline	schtasks /create /sc minute /mo 1 /tn edfefeffe /tr C:\Users\Administrator\AppData\fefefeffer.exe
cmdline	"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Chrome.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Chrome.exe' -Value '"C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\Chrome.exe"' -PropertyType 'String'

Executes one or more WMI queries (1 个事件)

wmi	select * from Win32_OperatingSystem

A process created a hidden window (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619967024.137875 CreateProcessInternalW	thread_identifier: 3324 thread_handle: 0x0000000000000228 process_identifier: 3320 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Chrome.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Chrome.exe' -Value '"C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\Chrome.exe"' -PropertyType 'String' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x0000000000000230 inherit_handles: 1	success	1	0
1619967045.68475 CreateProcessInternalW	thread_identifier: 3940 thread_handle: 0x0000000000000214 process_identifier: 3936 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Chrome.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Chrome.exe' -Value '"C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\Chrome.exe"' -PropertyType 'String' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x000000000000022c inherit_handles: 1	success	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 个事件)

Time & API	Arguments	Status	Return
1619967050.309875 Process32NextW	process_name: Server.exe snapshot_handle: 0x00000510 process_identifier: 3288	success	1
1619967050.372875 Process32NextW	process_name: tmp98FF.tmp.exe snapshot_handle: 0x00000510 process_identifier: 3588	success	1
1619967050.434875 Process32NextW	process_name: powershell.exe snapshot_handle: 0x00000510 process_identifier: 3936	success	1
1619967050.434875 Process32NextW	process_name: conhost.exe snapshot_handle: 0x00000510 process_identifier: 4052	success	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 个事件)

Time & API	Arguments	Status	Return
1619967021.41925 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619967021.45025 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619967067.450502 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619967059.637875 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619967059.637875 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619967079.63725 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

schtasks /create /sc minute /mo 1 /tn edfefeffe /tr C:\Users\Administrator\AppData\fefefeffer.exe

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948418.747017 NtAllocateVirtualMemory	process_identifier: 1108 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0
1619967026.216627 NtAllocateVirtualMemory	process_identifier: 3484 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619967018.05925 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

A process attempted to delay the analysis task. (2 个事件)

description	db13f973a6e611c1c751d74528bac914.exe tried to sleep 2728165 seconds, actually delayed analysis time by 2728165 seconds
description	Server.exe tried to sleep 2728217 seconds, actually delayed analysis time by 2728217 seconds

Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (50 out of 109 个事件)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\db13f973a6e611c1c751d74528bac914.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\db13f973a6e611c1c751d74528bac914.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Chrome.exe	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\Chrome.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome	reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\grgrgrgrg\fefefefe\Server.exe

Potential code injection by writing to the memory of another process (8 个事件)

Time & API	Arguments	Status	Return
1619948418.747017 WriteProcessMemory	process_identifier: 1108 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚÇ_àNÞm @ À@mK H.textäM N `.rsrcP@@.reloc V@B process_handle: 0x000001f4 base_address: 0x00400000	success	1
1619948418.763017 WriteProcessMemory	process_identifier: 1108 buffer: P8h\ÌÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion0.1.3.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion0.1.3.08Assembly Version0.1.3.0lêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x000001f4 base_address: 0x00428000	success	1
1619948418.763017 WriteProcessMemory	process_identifier: 1108 buffer: `à= process_handle: 0x000001f4 base_address: 0x0042a000	success	1
1619948418.763017 WriteProcessMemory	process_identifier: 1108 buffer: @ process_handle: 0x000001f4 base_address: 0x7efde008	success	1
1619967026.216627 WriteProcessMemory	process_identifier: 3484 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚÇ_àNÞm @ À@mK H.textäM N `.rsrcP@@.reloc V@B process_handle: 0x000001f8 base_address: 0x00400000	success	1
1619967026.231627 WriteProcessMemory	process_identifier: 3484 buffer: P8h\ÌÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion0.1.3.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion0.1.3.08Assembly Version0.1.3.0lêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> process_handle: 0x000001f8 base_address: 0x00428000	success	1
1619967026.231627 WriteProcessMemory	process_identifier: 3484 buffer: `à= process_handle: 0x000001f8 base_address: 0x0042a000	success	1
1619967026.231627 WriteProcessMemory	process_identifier: 3484 buffer: @ process_handle: 0x000001f8 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948418.747017 WriteProcessMemory	process_identifier: 1108 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚÇ_àNÞm @ À@mK H.textäM N `.rsrcP@@.reloc V@B process_handle: 0x000001f4 base_address: 0x00400000	success	1	0
1619967026.216627 WriteProcessMemory	process_identifier: 3484 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚÇ_àNÞm @ À@mK H.textäM N `.rsrcP@@.reloc V@B process_handle: 0x000001f8 base_address: 0x00400000	success	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619967022.10625 SetWindowsHookExW	thread_identifier: 0 callback_function: 0x007e5c72 module_address: 0x00400000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	393647	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 784 called NtSetContextThread to modify thread in remote process 1108
Process injection	Process 3288 called NtSetContextThread to modify thread in remote process 3484
1619948418.763017 NtSetContextThread	thread_handle: 0x000001f0 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4353502 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1108	success	0	0
1619967026.231627 NtSetContextThread	thread_handle: 0x000001f4 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4353502 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3484	success	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (50 out of 58 个事件)

Time & API	Arguments	Status	Return
1619967021.79425 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.79425 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.79425 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.79425 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.79425 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.79425 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.79425 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.79425 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.82525 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.82525 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.82525 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.82525 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.82525 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.82525 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.82525 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967021.82525 CryptHashData	buffer: ÿÿÿÿ_FILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\LOCAL\TEMP\DB13F973A6E611C1C751D74528BAC914.EXE flags: 0 hash_handle: 0x004dccb0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.762875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1
1619967059.794875 CryptHashData	buffer: ÿÿÿÿUFILE:///C:\USERS\ADMINISTRATOR.OSKAR-PC\APPDATA\ROAMING\GRGRGRGRG\FEFEFEFE\SERVER.EXE flags: 0 hash_handle: 0x0074d6e0	success	1

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-28 14:58:52

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
localhost.unidev.com.br	A 191.232.176.217	191.232.176.217
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.