10.4
0-day
该样本未表现出任何异常!
重新分析
更多

423cd28053c00eb61a964eca3b9a9b3857405b176c10ebbff85aedc199288464

df52710baed1e23ff0b98df9568f4f49.exe

分析耗时

78s

最近分析

文件大小

918.5KB
静态报毒 动态报毒 PUTTY
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619977404.330774
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 95 个事件)
Time & API Arguments Status Return Repeated
1619977352.238125
IsDebuggerPresent
failed 0 0
1619977352.254125
IsDebuggerPresent
failed 0 0
1619977353.769125
IsDebuggerPresent
failed 0 0
1619977354.285125
IsDebuggerPresent
failed 0 0
1619977354.785125
IsDebuggerPresent
failed 0 0
1619977355.285125
IsDebuggerPresent
failed 0 0
1619977355.785125
IsDebuggerPresent
failed 0 0
1619977356.285125
IsDebuggerPresent
failed 0 0
1619977356.785125
IsDebuggerPresent
failed 0 0
1619977357.285125
IsDebuggerPresent
failed 0 0
1619977357.785125
IsDebuggerPresent
failed 0 0
1619977358.285125
IsDebuggerPresent
failed 0 0
1619977358.785125
IsDebuggerPresent
failed 0 0
1619977359.285125
IsDebuggerPresent
failed 0 0
1619977359.785125
IsDebuggerPresent
failed 0 0
1619977360.285125
IsDebuggerPresent
failed 0 0
1619977360.785125
IsDebuggerPresent
failed 0 0
1619977361.285125
IsDebuggerPresent
failed 0 0
1619977361.785125
IsDebuggerPresent
failed 0 0
1619977362.285125
IsDebuggerPresent
failed 0 0
1619977362.785125
IsDebuggerPresent
failed 0 0
1619977363.285125
IsDebuggerPresent
failed 0 0
1619977363.785125
IsDebuggerPresent
failed 0 0
1619977364.285125
IsDebuggerPresent
failed 0 0
1619977364.785125
IsDebuggerPresent
failed 0 0
1619977365.285125
IsDebuggerPresent
failed 0 0
1619977365.785125
IsDebuggerPresent
failed 0 0
1619977366.285125
IsDebuggerPresent
failed 0 0
1619977366.785125
IsDebuggerPresent
failed 0 0
1619977367.285125
IsDebuggerPresent
failed 0 0
1619977367.785125
IsDebuggerPresent
failed 0 0
1619977368.285125
IsDebuggerPresent
failed 0 0
1619977368.785125
IsDebuggerPresent
failed 0 0
1619977369.285125
IsDebuggerPresent
failed 0 0
1619977369.785125
IsDebuggerPresent
failed 0 0
1619977370.285125
IsDebuggerPresent
failed 0 0
1619977370.785125
IsDebuggerPresent
failed 0 0
1619977371.285125
IsDebuggerPresent
failed 0 0
1619977371.785125
IsDebuggerPresent
failed 0 0
1619977372.285125
IsDebuggerPresent
failed 0 0
1619977372.785125
IsDebuggerPresent
failed 0 0
1619977373.285125
IsDebuggerPresent
failed 0 0
1619977373.785125
IsDebuggerPresent
failed 0 0
1619977374.285125
IsDebuggerPresent
failed 0 0
1619977374.785125
IsDebuggerPresent
failed 0 0
1619977375.285125
IsDebuggerPresent
failed 0 0
1619977375.785125
IsDebuggerPresent
failed 0 0
1619977376.285125
IsDebuggerPresent
failed 0 0
1619977376.785125
IsDebuggerPresent
failed 0 0
1619977377.285125
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619977352.316125
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 91 个事件)
Time & API Arguments Status Return Repeated
1619977351.332125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008f0000
success 0 0
1619977351.332125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00a70000
success 0 0
1619977351.832125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00af0000
success 0 0
1619977351.832125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c80000
success 0 0
1619977352.035125
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619977352.238125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008f0000
success 0 0
1619977352.238125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00920000
success 0 0
1619977352.269125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002aa000
success 0 0
1619977352.269125
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619977352.269125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a2000
success 0 0
1619977352.613125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b2000
success 0 0
1619977352.738125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002e5000
success 0 0
1619977352.738125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002eb000
success 0 0
1619977352.738125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002e7000
success 0 0
1619977352.863125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b3000
success 0 0
1619977352.910125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002bc000
success 0 0
1619977352.988125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f0000
success 0 0
1619977353.191125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b4000
success 0 0
1619977353.910125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b5000
success 0 0
1619977353.957125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b7000
success 0 0
1619977353.988125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f1000
success 0 0
1619977354.035125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a3000
success 0 0
1619977354.035125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ac000
success 0 0
1619977354.113125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b8000
success 0 0
1619977354.144125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b9000
success 0 0
1619977354.269125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d60000
success 0 0
1619977354.316125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c6000
success 0 0
1619977354.379125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f2000
success 0 0
1619977354.379125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002ca000
success 0 0
1619977354.379125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002c7000
success 0 0
1619977354.426125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d61000
success 0 0
1619977354.457125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f3000
success 0 0
1619977354.472125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f6000
success 0 0
1619977395.504125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d62000
success 0 0
1619977395.504125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f7000
success 0 0
1619977395.676125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f8000
success 0 0
1619977395.816125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009f9000
success 0 0
1619977395.847125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002bd000
success 0 0
1619977395.847125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d63000
success 0 0
1619977395.847125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009fa000
success 0 0
1619977395.894125
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 147456
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05160400
failed 3221225550 0
1619977398.535125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009fb000
success 0 0
1619977398.582125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009fc000
success 0 0
1619977398.582125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d64000
success 0 0
1619977398.597125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009fd000
success 0 0
1619977398.801125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009fe000
success 0 0
1619977398.801125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009ff000
success 0 0
1619977399.066125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d10000
success 0 0
1619977399.129125
NtAllocateVirtualMemory
process_identifier: 2860
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d11000
success 0 0
1619977399.144125
NtProtectVirtualMemory
process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05160178
failed 3221225550 0
A process attempted to delay the analysis task. (1 个事件)
description df52710baed1e23ff0b98df9568f4f49.exe tried to sleep 134 seconds, actually delayed analysis time by 134 seconds
Steals private information from local Internet browsers (19 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.2746408910623 section {'size_of_data': '0x000b1c00', 'virtual_address': '0x00002000', 'entropy': 7.2746408910623, 'name': '.text', 'virtual_size': '0x000b1b84'} description A section with a high entropy has been found
entropy 0.7745098039215687 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619977353.363125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 195.69.140.147
host 203.208.41.66
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619977399.347125
NtAllocateVirtualMemory
process_identifier: 2940
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000015d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Harvests credentials from local FTP client softwares (22 个事件)
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\Administrator.Oskar-PC\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\filezilla.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
Harvests information related to installed instant messenger clients (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\.purple\accounts.xml
Potential code injection by writing to the memory of another process (3 个事件)
Time & API Arguments Status Return Repeated
1619977399.347125
WriteProcessMemory
process_identifier: 2940
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x000015d8
base_address: 0x00400000
success 1 0
1619977399.363125
WriteProcessMemory
process_identifier: 2940
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x000015d8
base_address: 0x0041a000
success 1 0
1619977399.363125
WriteProcessMemory
process_identifier: 2940
buffer: @
process_handle: 0x000015d8
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619977399.347125
WriteProcessMemory
process_identifier: 2940
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x000015d8
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (3 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2860 called NtSetContextThread to modify thread in remote process 2940
Time & API Arguments Status Return Repeated
1619977399.363125
NtSetContextThread
thread_handle: 0x00010d20
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2940
success 0 0
Putty Files, Registry Keys and/or Mutexes Detected
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2860 resumed a thread in remote process 2940
Time & API Arguments Status Return Repeated
1619977399.660125
NtResumeThread
thread_handle: 0x00010d20
suspend_count: 1
process_identifier: 2940
success 0 0
Executed a process and injected code into it, probably while unpacking (25 个事件)
Time & API Arguments Status Return Repeated
1619977352.254125
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2860
success 0 0
1619977352.285125
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2860
success 0 0
1619977352.363125
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2860
success 0 0
1619977353.676125
NtResumeThread
thread_handle: 0x00000204
suspend_count: 1
process_identifier: 2860
success 0 0
1619977353.722125
NtResumeThread
thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2860
success 0 0
1619977396.785125
NtGetContextThread
thread_handle: 0x0000021c
success 0 0
1619977396.785125
NtGetContextThread
thread_handle: 0x0000021c
success 0 0
1619977396.785125
NtResumeThread
thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2860
success 0 0
1619977396.801125
NtGetContextThread
thread_handle: 0x0000021c
success 0 0
1619977396.801125
NtGetContextThread
thread_handle: 0x0000021c
success 0 0
1619977396.801125
NtResumeThread
thread_handle: 0x0000021c
suspend_count: 1
process_identifier: 2860
success 0 0
1619977399.144125
NtResumeThread
thread_handle: 0x000004f0
suspend_count: 1
process_identifier: 2860
success 0 0
1619977399.160125
NtResumeThread
thread_handle: 0x00010d1c
suspend_count: 1
process_identifier: 2860
success 0 0
1619977399.347125
CreateProcessInternalW
thread_identifier: 1160
thread_handle: 0x00010d20
process_identifier: 2940
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\df52710baed1e23ff0b98df9568f4f49.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\df52710baed1e23ff0b98df9568f4f49.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000015d8
inherit_handles: 0
success 1 0
1619977399.347125
NtGetContextThread
thread_handle: 0x00010d20
success 0 0
1619977399.347125
NtAllocateVirtualMemory
process_identifier: 2940
region_size: 663552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000015d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619977399.347125
WriteProcessMemory
process_identifier: 2940
buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþˆ¬­ˆ¬­ˆ¬­Ô•­‰¬­K£K­Š¬­ ­‰¬­=2󭋬­ˆ¬­Œ¬­Ôƒ­‰¬­ˆ¬­Ç¬­Ô…­™¬­=2÷­ó¬­=2È­‰¬­Richˆ¬­PEL…lWà  8¢Þ9P@ €ЎdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x €À
process_handle: 0x000015d8
base_address: 0x00400000
success 1 0
1619977399.347125
WriteProcessMemory
process_identifier: 2940
buffer:
process_handle: 0x000015d8
base_address: 0x00401000
success 1 0
1619977399.363125
WriteProcessMemory
process_identifier: 2940
buffer:
process_handle: 0x000015d8
base_address: 0x00415000
success 1 0
1619977399.363125
WriteProcessMemory
process_identifier: 2940
buffer: ™TÍ<¨‡K¢`ˆˆÝ;U
process_handle: 0x000015d8
base_address: 0x0041a000
success 1 0
1619977399.363125
WriteProcessMemory
process_identifier: 2940
buffer:
process_handle: 0x000015d8
base_address: 0x004a0000
success 1 0
1619977399.363125
WriteProcessMemory
process_identifier: 2940
buffer: @
process_handle: 0x000015d8
base_address: 0x7efde008
success 1 0
1619977399.363125
NtSetContextThread
thread_handle: 0x00010d20
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2940
success 0 0
1619977399.660125
NtResumeThread
thread_handle: 0x00010d20
suspend_count: 1
process_identifier: 2940
success 0 0
1619977403.033774
NtResumeThread
thread_handle: 0x00000110
suspend_count: 1
process_identifier: 2940
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-04 17:27:05

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.