12.4
0-day
52 个模型检测该样本为恶意!
重新分析
更多

2ae5e19dd2e891ea8c09b48a7e0805a2f797cdfe841c0d71acc90d58eef5e94f

e09fdb19a562cc784a9fe81737a3c406.exe

分析耗时

87s

最近分析

文件大小

432.5KB
静态报毒 动态报毒 AGEN AGENSLA AGENTTESLA AI SCORE=82 BM0@ASYZIKJ CONFIDENCE ELDORADO FSJJ GDSDA GENERICKD HIGH CONFIDENCE HKOSFQ KRYPT KRYPTIK MALICIOUS PE MALWARE@#3UFJMTR5TZ29T MSILKRYPT PACKEDNET PWSX R06EC0DIA20 R338049 REMCOS S + TROJ SCORE STATIC AI SUSGEN TROJANPSW UNSAFE YAKBEEXMSIL YQN7ZZXB3EC ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Trojan-FSJJ!E09FDB19A562 20201211 6.0.6.653
Alibaba TrojanPSW:MSIL/AgentTesla.626371e7 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:PWSX-gen [Trj] 20201210 21.1.5827.0
Tencent 20201211 1.0.0.1
Kingsoft 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_60% (W) 20190702 1.0
静态指标
Queries for the computername (5 个事件)
Time & API Arguments Status Return Repeated
1619966618.772375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619966623.89775
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619966625.30375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619966627.14775
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619966627.47575
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (14 个事件)
Time & API Arguments Status Return Repeated
1619966615.538125
IsDebuggerPresent
failed 0 0
1619966616.538125
IsDebuggerPresent
failed 0 0
1619966617.053125
IsDebuggerPresent
failed 0 0
1619966617.553125
IsDebuggerPresent
failed 0 0
1619966618.053125
IsDebuggerPresent
failed 0 0
1619966618.553125
IsDebuggerPresent
failed 0 0
1619966619.053125
IsDebuggerPresent
failed 0 0
1619966619.553125
IsDebuggerPresent
failed 0 0
1619966620.053125
IsDebuggerPresent
failed 0 0
1619966620.553125
IsDebuggerPresent
failed 0 0
1619966621.053125
IsDebuggerPresent
failed 0 0
1619966621.553125
IsDebuggerPresent
failed 0 0
1619966622.053125
IsDebuggerPresent
failed 0 0
1619966622.64775
IsDebuggerPresent
failed 0 0
Command line console output was observed (2 个事件)
Time & API Arguments Status Return Repeated
1619966620.038375
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\KoYrsrgSG"。
console_handle: 0x00000007
success 1 0
1619966634.303625
WriteConsoleW
buffer: 操作成功完成。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619966617.694125
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1619966626.97575
__exception__
stacktrace: 
0x4702b4e
0x4701e38
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3992580
registers.edi: 55682547
registers.eax: 0
registers.ebp: 3992624
registers.edx: 158
registers.ebx: 0
registers.esi: 39819392
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 dc b8 51 9a 12 f6 e9 6a ff
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4702fb1
success 0 0
1619966660.60075
__exception__
stacktrace: 
0x470536e
0x470256a
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3990948
registers.edi: 3991008
registers.eax: 0
registers.ebp: 3991024
registers.edx: 3990916
registers.ebx: 40026628
registers.esi: 40422392
registers.ecx: 0
exception.instruction_r: 39 09 e8 d2 90 95 6d 89 45 b8 b8 4f 14 1f b1 35
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x470b74f
success 0 0
1619966660.83475
__exception__
stacktrace: 
0x4705a07
0x470256a
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3990956
registers.edi: 40722020
registers.eax: 40724660
registers.ebp: 3991024
registers.edx: 40724660
registers.ebx: 40720208
registers.esi: 0
registers.ecx: 1911774966
exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 cc 36 b4 6c
exception.instruction: cmp dword ptr [esi], eax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x55c0aa4
success 0 0
1619966660.85075
__exception__
stacktrace: 
0x4705abb
0x470256a
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3990916
registers.edi: 3991008
registers.eax: 0
registers.ebp: 3991024
registers.edx: 3990884
registers.ebx: 0
registers.esi: 40729604
registers.ecx: 0
exception.instruction_r: 39 09 e8 7c 37 aa 6c 83 78 04 00 0f 84 48 04 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x55c10a5
success 0 0
1619966664.94475
__exception__
stacktrace: 
0x4705faa
0x470256a
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3990968
registers.edi: 3991008
registers.eax: 3
registers.ebp: 3991024
registers.edx: 0
registers.ebx: 40026628
registers.esi: 40862268
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 5c 39 00 89 45 c8 b8 aa 7f ea ed eb
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x55c599c
success 0 0
1619966665.20975
__exception__
stacktrace: 
0x470256a
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3991032
registers.edi: 40012924
registers.eax: 0
registers.ebp: 3992676
registers.edx: 6
registers.ebx: 40026628
registers.esi: 955284594
registers.ecx: 12
exception.instruction_r: 83 78 08 01 0f 9f c0 0f b6 c0 8b 95 b4 f9 ff ff
exception.instruction: cmp dword ptr [eax + 8], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x47062e0
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 124 个事件)
Time & API Arguments Status Return Repeated
1619966615.069125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00830000
success 0 0
1619966615.069125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00970000
success 0 0
1619966615.459125
NtProtectVirtualMemory
process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1619966615.538125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ba000
success 0 0
1619966615.538125
NtProtectVirtualMemory
process_identifier: 2520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1619966615.538125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b2000
success 0 0
1619966615.756125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c2000
success 0 0
1619966615.834125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c3000
success 0 0
1619966615.850125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0048b000
success 0 0
1619966615.850125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00487000
success 0 0
1619966615.913125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003cc000
success 0 0
1619966615.975125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a0000
success 0 0
1619966616.163125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ca000
success 0 0
1619966616.256125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619966616.288125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f2000
success 0 0
1619966616.334125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c4000
success 0 0
1619966616.366125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00485000
success 0 0
1619966616.678125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c5000
success 0 0
1619966616.756125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ea000
success 0 0
1619966616.756125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619966616.772125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003bb000
success 0 0
1619966616.850125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a1000
success 0 0
1619966617.006125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x047e0000
success 0 0
1619966617.053125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e6000
success 0 0
1619966617.194125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c7000
success 0 0
1619966617.209125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a3000
success 0 0
1619966617.397125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00971000
success 0 0
1619966617.538125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c8000
success 0 0
1619966617.538125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a4000
success 0 0
1619966617.553125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x05b40000
success 0 0
1619966617.553125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d10000
success 0 0
1619966617.553125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d11000
success 0 0
1619966617.584125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d12000
success 0 0
1619966617.600125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d13000
success 0 0
1619966617.600125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d14000
success 0 0
1619966617.600125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d15000
success 0 0
1619966617.600125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d18000
success 0 0
1619966617.600125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d1a000
success 0 0
1619966617.600125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d1c000
success 0 0
1619966617.600125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d20000
success 0 0
1619966617.631125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a5000
success 0 0
1619966617.647125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05d31000
success 0 0
1619966617.663125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a6000
success 0 0
1619966617.772125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x047e1000
success 0 0
1619966617.897125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003b3000
success 0 0
1619966617.959125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x047e2000
success 0 0
1619966621.803125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c9000
success 0 0
1619966621.819125
NtAllocateVirtualMemory
process_identifier: 2520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619966622.49175
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007b0000
success 0 0
1619966622.49175
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00880000
success 0 0
Steals private information from local Internet browsers (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KoYrsrgSG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6397.tmp"
cmdline schtasks.exe /Create /TN "Updates\KoYrsrgSG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6397.tmp"
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619966618.475125
ShellExecuteExW
parameters: /Create /TN "Updates\KoYrsrgSG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6397.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
1619966660.97575
CreateProcessInternalW
thread_identifier: 1664
thread_handle: 0x000001e8
process_identifier: 2940
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000003f4
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.899131860047048 section {'size_of_data': '0x0006a200', 'virtual_address': '0x00002000', 'entropy': 7.899131860047048, 'name': '.text', 'virtual_size': '0x0006a024'} description A section with a high entropy has been found
entropy 0.9826388888888888 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619966616.194125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619966623.60075
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (4 个事件)
cmdline REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KoYrsrgSG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6397.tmp"
cmdline "netsh" wlan show profile
cmdline schtasks.exe /Create /TN "Updates\KoYrsrgSG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6397.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619966621.959125
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000038c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description RegSvcs.exe tried to sleep 2728299 seconds, actually delayed analysis time by 2728299 seconds
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6397.tmp
Harvests credentials from local FTP client softwares (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619966621.959125
WriteProcessMemory
process_identifier: 2064
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGÂ^à ®~Í à@  @…,ÍOà  H.text„­ ® `.rsrcà°@@.reloc ´@B
process_handle: 0x0000038c
base_address: 0x00400000
success 1 0
1619966621.975125
WriteProcessMemory
process_identifier: 2064
buffer: €0€HX༼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t*InternalNameRJNNztqgBCTPcHhdUlpVCujozVwdsmyNtReda.exe(LegalCopyright |*OriginalFilenameRJNNztqgBCTPcHhdUlpVCujozVwdsmyNtReda.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x0000038c
base_address: 0x0044e000
success 1 0
1619966621.975125
WriteProcessMemory
process_identifier: 2064
buffer: À €=
process_handle: 0x0000038c
base_address: 0x00450000
success 1 0
1619966621.975125
WriteProcessMemory
process_identifier: 2064
buffer: @
process_handle: 0x0000038c
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619966621.959125
WriteProcessMemory
process_identifier: 2064
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGÂ^à ®~Í à@  @…,ÍOà  H.text„­ ® `.rsrcà°@@.reloc ´@B
process_handle: 0x0000038c
base_address: 0x00400000
success 1 0
Harvests credentials from local email clients (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2520 called NtSetContextThread to modify thread in remote process 2064
Time & API Arguments Status Return Repeated
1619966621.975125
NtSetContextThread
thread_handle: 0x000003e0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4509054
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2064
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2520 resumed a thread in remote process 2064
Time & API Arguments Status Return Repeated
1619966622.303125
NtResumeThread
thread_handle: 0x000003e0
suspend_count: 1
process_identifier: 2064
success 0 0
Executed a process and injected code into it, probably while unpacking (26 个事件)
Time & API Arguments Status Return Repeated
1619966615.538125
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2520
success 0 0
1619966615.616125
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2520
success 0 0
1619966616.491125
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2520
success 0 0
1619966616.522125
NtResumeThread
thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 2520
success 0 0
1619966618.475125
CreateProcessInternalW
thread_identifier: 2116
thread_handle: 0x00000398
process_identifier: 2900
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KoYrsrgSG" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp6397.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000003d0
inherit_handles: 0
success 1 0
1619966621.959125
CreateProcessInternalW
thread_identifier: 1912
thread_handle: 0x000003e0
process_identifier: 2064
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000038c
inherit_handles: 0
success 1 0
1619966621.959125
NtGetContextThread
thread_handle: 0x000003e0
success 0 0
1619966621.959125
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000038c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619966621.959125
WriteProcessMemory
process_identifier: 2064
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGÂ^à ®~Í à@  @…,ÍOà  H.text„­ ® `.rsrcà°@@.reloc ´@B
process_handle: 0x0000038c
base_address: 0x00400000
success 1 0
1619966621.959125
WriteProcessMemory
process_identifier: 2064
buffer:
process_handle: 0x0000038c
base_address: 0x00402000
success 1 0
1619966621.975125
WriteProcessMemory
process_identifier: 2064
buffer: €0€HX༼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion0.0.0.0t*InternalNameRJNNztqgBCTPcHhdUlpVCujozVwdsmyNtReda.exe(LegalCopyright |*OriginalFilenameRJNNztqgBCTPcHhdUlpVCujozVwdsmyNtReda.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x0000038c
base_address: 0x0044e000
success 1 0
1619966621.975125
WriteProcessMemory
process_identifier: 2064
buffer: À €=
process_handle: 0x0000038c
base_address: 0x00450000
success 1 0
1619966621.975125
WriteProcessMemory
process_identifier: 2064
buffer: @
process_handle: 0x0000038c
base_address: 0x7efde008
success 1 0
1619966621.975125
NtSetContextThread
thread_handle: 0x000003e0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4509054
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2064
success 0 0
1619966622.303125
NtResumeThread
thread_handle: 0x000003e0
suspend_count: 1
process_identifier: 2064
success 0 0
1619966622.303125
NtResumeThread
thread_handle: 0x000003f4
suspend_count: 1
process_identifier: 2520
success 0 0
1619966622.64775
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2064
success 0 0
1619966622.89775
NtResumeThread
thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2064
success 0 0
1619966625.14775
NtResumeThread
thread_handle: 0x000002cc
suspend_count: 1
process_identifier: 2064
success 0 0
1619966625.17875
NtResumeThread
thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2064
success 0 0
1619966627.03875
NtResumeThread
thread_handle: 0x0000036c
suspend_count: 1
process_identifier: 2064
success 0 0
1619966633.47575
NtResumeThread
thread_handle: 0x000003b8
suspend_count: 1
process_identifier: 2064
success 0 0
1619966633.80375
CreateProcessInternalW
thread_identifier: 2764
thread_handle: 0x000003bc
process_identifier: 1752
current_directory:
filepath:
track: 1
command_line: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000003c0
inherit_handles: 0
success 1 0
1619966660.97575
CreateProcessInternalW
thread_identifier: 1664
thread_handle: 0x000001e8
process_identifier: 2940
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" wlan show profile
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000003f4
inherit_handles: 1
success 1 0
1619966667.50675
NtResumeThread
thread_handle: 0x00000434
suspend_count: 1
process_identifier: 2064
success 0 0
1619966662.11675
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2940
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
FireEye Generic.mg.e09fdb19a562cc78
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Trojan-FSJJ!E09FDB19A562
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 0056761d1 )
Alibaba TrojanPSW:MSIL/AgentTesla.626371e7
K7GW Trojan ( 0056761d1 )
Cybereason malicious.9894cd
Arcabit Trojan.Generic.D2054965
BitDefenderTheta Gen:NN.ZemsilF.34670.Bm0@aSyzIKj
Cyren W32/MSIL_Kryptik.ASY.gen!Eldorado
Symantec Trojan Horse
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.33900901
NANO-Antivirus Trojan.Win32.PackedNET.hkosfq
AegisLab Trojan.Win32.Malicious.4!c
MicroWorld-eScan Trojan.GenericKD.33900901
Avast Win32:PWSX-gen [Trj]
Ad-Aware Trojan.GenericKD.33900901
Emsisoft Trojan.GenericKD.33900901 (B)
Comodo Malware@#3ufjmtr5tz29t
F-Secure Heuristic.HEUR/AGEN.1135049
DrWeb Trojan.PackedNET.299
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Sophos Mal/Generic-S + Troj/Kryptik-LC
APEX Malicious
Avira HEUR/AGEN.1135049
MAX malware (ai score=82)
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Microsoft Trojan:MSIL/AgentTesla
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.33900901
SentinelOne Static AI - Malicious PE
AhnLab-V3 Trojan/Win32.MSILKrypt.R338049
ALYac Spyware.AgentTesla
Malwarebytes Trojan.MalPack.DFD.Generic
ESET-NOD32 a variant of MSIL/Kryptik.WAO
Yandex Trojan.Kryptik!YqN7ZzXB3Ec
Ikarus Trojan.MSIL.Krypt
Fortinet MSIL/Kryptik.WAU!tr
MaxSecure Trojan.Malware.74499699.susgen
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-25 09:13:17

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.