SmartHawk

10.8

0-day

57 个模型检测该样本为恶意！

重新分析

下载样本

ac59fc8043fdbad6e5c65e7c9e34aaceffe49290761f5ff6befa5825a781bc27

e80514ca1a42e6f28fbd78b561883c2c.exe

分析耗时

145s

最近分析

文件大小

389.5KB

静态报毒动态报毒 100% ADMZ AGENSLA AGENTTESLA AI SCORE=82 AIHP ATTRIBUTE CLOUD CONFIDENCE EVG0ML2U7C0 FAREIT GDSDA GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HLBWPC INJECTORX KILLPROC2 KNZHX KRYPTIK MALICIOUS PE MALREP OCCAMY QQPASS QQROB SCORE THFADBO TROJANPSW UMQW UNSAFE YMW@AKZUXJB ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FVK!E80514CA1A42	20200706	6.0.6.653
Alibaba	TrojanPSW:MSIL/Occamy.c29161f1	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:InjectorX-gen [Trj]	20200706	18.4.3895.0
Kingsoft		20200706	2013.8.14.323
Tencent	Msil.Trojan-qqpass.Qqrob.Aihp	20200706	1.0.0.1
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1619974648.132626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619974651.507626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619974655.945626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619974657.711626 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (50 out of 236 个事件)

Time & API	Arguments	Status	Return	Repeated
1619951394.1565 IsDebuggerPresent		failed	0	0
1619951394.1565 IsDebuggerPresent		failed	0	0
1619974646.242626 IsDebuggerPresent		failed	0	0
1619974646.242626 IsDebuggerPresent		failed	0	0
1619974648.320751 IsDebuggerPresent		failed	0	0
1619974648.320751 IsDebuggerPresent		failed	0	0
1619974649.586874 IsDebuggerPresent		failed	0	0
1619974649.586874 IsDebuggerPresent		failed	0	0
1619974650.445999 IsDebuggerPresent		failed	0	0
1619974650.445999 IsDebuggerPresent		failed	0	0
1619974650.773751 IsDebuggerPresent		failed	0	0
1619974650.773751 IsDebuggerPresent		failed	0	0
1619974651.430249 IsDebuggerPresent		failed	0	0
1619974651.430249 IsDebuggerPresent		failed	0	0
1619974651.695626 IsDebuggerPresent		failed	0	0
1619974651.695626 IsDebuggerPresent		failed	0	0
1619974652.382874 IsDebuggerPresent		failed	0	0
1619974652.382874 IsDebuggerPresent		failed	0	0
1619974652.601501 IsDebuggerPresent		failed	0	0
1619974652.601501 IsDebuggerPresent		failed	0	0
1619974653.305124 IsDebuggerPresent		failed	0	0
1619974653.305124 IsDebuggerPresent		failed	0	0
1619974653.507751 IsDebuggerPresent		failed	0	0
1619974653.523751 IsDebuggerPresent		failed	0	0
1619974654.539999 IsDebuggerPresent		failed	0	0
1619974654.539999 IsDebuggerPresent		failed	0	0
1619974656.789374 IsDebuggerPresent		failed	0	0
1619974656.789374 IsDebuggerPresent		failed	0	0
1619974657.617374 IsDebuggerPresent		failed	0	0
1619974657.617374 IsDebuggerPresent		failed	0	0
1619974658.054626 IsDebuggerPresent		failed	0	0
1619974658.054626 IsDebuggerPresent		failed	0	0
1619974658.789499 IsDebuggerPresent		failed	0	0
1619974658.789499 IsDebuggerPresent		failed	0	0
1619974658.993124 IsDebuggerPresent		failed	0	0
1619974659.008124 IsDebuggerPresent		failed	0	0
1619974659.867626 IsDebuggerPresent		failed	0	0
1619974659.867626 IsDebuggerPresent		failed	0	0
1619974660.087249 IsDebuggerPresent		failed	0	0
1619974660.087249 IsDebuggerPresent		failed	0	0
1619974660.820374 IsDebuggerPresent		failed	0	0
1619974660.820374 IsDebuggerPresent		failed	0	0
1619974661.054374 IsDebuggerPresent		failed	0	0
1619974661.054374 IsDebuggerPresent		failed	0	0
1619974661.632874 IsDebuggerPresent		failed	0	0
1619974661.632874 IsDebuggerPresent		failed	0	0
1619974661.851874 IsDebuggerPresent		failed	0	0
1619974661.851874 IsDebuggerPresent		failed	0	0
1619974662.539751 IsDebuggerPresent		failed	0	0
1619974662.539751 IsDebuggerPresent		failed	0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619951394.1875 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (6 个事件)

Time & API	Arguments	Status
1619974654.273626 __exception__	stacktrace: 0xba2ad5 0xba1df8 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2682084 registers.edi: 2682112 registers.eax: 0 registers.ebp: 2682128 registers.edx: 8 registers.ebx: 0 registers.esi: 47281508 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 fe 54 1d e7 e9 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xba6212	success
1619974693.086626 __exception__	stacktrace: 0x4d12e3e 0xba2514 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2680636 registers.edi: 47891268 registers.eax: 47895684 registers.ebp: 2680700 registers.edx: 47895684 registers.ebx: 47893308 registers.esi: 0 registers.ecx: 1908490458 exception.instruction_r: 39 06 68 ff ff ff 7f 6a 00 8b ce e8 53 35 77 6c exception.instruction: cmp dword ptr [esi], eax exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x575531d	success
1619974705.507626 __exception__	stacktrace: 0x4d1380a 0xba2514 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2680624 registers.edi: 2680684 registers.eax: 0 registers.ebp: 2680700 registers.edx: 47056024 registers.ebx: 447605810 registers.esi: 136210631 registers.ecx: 0 exception.instruction_r: 39 09 e8 c8 d2 fb 6b 89 45 b8 33 d2 89 55 dc b8 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5e2f175	success
1619974709.195626 __exception__	stacktrace: 0x4d13d78 0xba2514 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2680644 registers.edi: 2082585049 registers.eax: 3 registers.ebp: 2680700 registers.edx: 0 registers.ebx: 447605810 registers.esi: 49155424 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 39 00 89 45 c8 b8 5c 08 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5bd2510	success
1619974710.617626 __exception__	stacktrace: 0xba2514 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2680708 registers.edi: 47530504 registers.eax: 0 registers.ebp: 2682176 registers.edx: 0 registers.ebx: 447605810 registers.esi: 294851746 registers.ecx: 14 exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 8b 95 cc fa ff ff exception.instruction: cmp dword ptr [eax + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4d13d16	success
1619974710.632626 __exception__	stacktrace: 0x4d141c8 0xba2514 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73b921db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73bb4a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73bb4bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73bb4c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73bb4c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73c7ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73c7cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73c7cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73c7d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73c7d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73cfaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x745255ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x747a7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x747a4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2680592 registers.edi: 0 registers.eax: 0 registers.ebp: 2680700 registers.edx: 47056024 registers.ebx: 0 registers.esi: 294851746 registers.ecx: 0 exception.instruction_r: 39 09 e8 19 99 21 6c 83 78 04 00 0f 84 df 03 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5bd2b24	success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 3816 个事件)

Time & API	Arguments	Status
1619951393.4695 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00740000	success
1619951393.4695 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008c0000	success
1619951394.0625 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00740000	success
1619951394.0625 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007d0000	success
1619951394.0945 NtProtectVirtualMemory	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success
1619951394.1565 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00a90000	success
1619951394.1565 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b00000	success
1619951394.1725 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ba000	success
1619951394.1725 NtProtectVirtualMemory	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success
1619951394.1725 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006b2000	success
1619951394.4225 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d2000	success
1619951394.4845 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006f5000	success
1619951394.4845 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006fb000	success
1619951394.4845 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006f7000	success
1619951394.6415 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d3000	success
1619951394.6725 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006dc000	success
1619951394.7665 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008a0000	success
1619951394.8755 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e6000	success
1619951394.9065 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006ea000	success
1619951394.9065 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006e7000	success
1619951394.9225 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d4000	success
1619951395.2345 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d5000	success
1619951395.3125 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008a1000	success
1619951395.4535 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00d80000	success
1619951396.5005 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00e00000	success
1619951397.3445 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x008a2000	success
1619951401.1565 NtAllocateVirtualMemory	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d6000	success
1619974646.211626 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74521000	success
1619974646.211626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x008a0000	success
1619974646.211626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00980000	success
1619974646.226626 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success
1619974646.226626 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73ad1000	success
1619974646.242626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00460000	success
1619974646.242626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004c0000	success
1619974646.242626 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b91000	success
1619974646.242626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00640000	success
1619974646.242626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006c0000	success
1619974646.242626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003fa000	success
1619974646.242626 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73b92000	success
1619974646.242626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003f2000	success
1619974646.242626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00462000	success
1619974646.257626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00485000	success
1619974646.257626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048b000	success
1619974646.257626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00487000	success
1619974646.257626 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x74511000	success
1619974646.257626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00463000	success
1619974646.257626 NtProtectVirtualMemory	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x75061000	success
1619974646.257626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00464000	success
1619974646.257626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046c000	success
1619974646.273626 NtAllocateVirtualMemory	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b80000	success

Steals private information from local Internet browsers (7 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Chromium\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Yandex\YandexBrowser\User Data

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619974711.398626 CreateProcessInternalW	thread_identifier: 5384 thread_handle: 0x00000488 process_identifier: 5336 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "netsh" wlan show profile filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x0000049c inherit_handles: 1	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.075082674307612

section

{'size_of_data': '0x00061000', 'virtual_address': '0x00002000', 'entropy': 7.075082674307612, 'name': '.text', 'virtual_size': '0x00060f84'}

description

A section with a high entropy has been found

entropy

0.9974293059125964

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (50 out of 118 个事件)

Time & API	Arguments	Status	Return
1619951397.5475 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974647.382626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974649.445751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974649.711874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974650.570999 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974650.914751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974651.555249 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974651.851626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974652.461874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974652.742501 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974653.383124 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974653.679751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974656.632999 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974656.914374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974657.929374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974658.195626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974658.851499 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974659.133124 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974659.945626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974660.196249 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974660.882374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974661.398374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974661.695874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974661.929874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974662.601751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974662.820499 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974663.648374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974664.211374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974664.726374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974665.008124 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974665.945374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974666.211874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974666.976751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974667.476501 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974668.680124 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974668.992626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974670.148874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974670.414999 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974674.523499 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974675.179374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974675.665249 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974675.929626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974676.992374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974677.539751 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974678.711374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974678.992874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974679.821124 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974680.054874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974681.570374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619974681.789874 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1

Terminates another process (50 out of 116 个事件)

Time & API	Arguments	Status
1619974649.492751 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	failed
1619974649.492751 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	success
1619974650.632999 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974650.632999 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974651.602249 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974651.602249 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974652.507874 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	failed
1619974652.507874 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	success
1619974653.446124 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974653.446124 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974656.711999 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	failed
1619974656.711999 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	success
1619974657.992374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974657.992374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974658.945499 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	failed
1619974658.945499 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	success
1619974660.023626 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	failed
1619974660.023626 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	success
1619974660.976374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974660.976374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974661.773874 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974661.773874 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974662.664751 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974662.664751 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974663.726374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	failed
1619974663.726374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	success
1619974664.789374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974664.789374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974666.039374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	failed
1619974666.039374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	success
1619974667.054751 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	failed
1619974667.054751 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	success
1619974668.790124 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974668.790124 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974670.257874 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	failed
1619974670.257874 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000294	success
1619974674.632499 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	failed
1619974674.632499 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	success
1619974675.790249 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974675.790249 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974677.117374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	failed
1619974677.117374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x0000028c	success
1619974678.836374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974678.836374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974679.930124 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974679.930124 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success
1619974681.679374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000284	failed
1619974681.679374 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000284	success
1619974682.820626 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	failed
1619974682.820626 NtTerminateProcess	status_code: 0x00000001 process_identifier: 0 process_handle: 0x00000288	success

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

"netsh" wlan show profile

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619974670.304626 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

RegAsm.exe tried to sleep 2728402 seconds, actually delayed analysis time by 2728402 seconds

Harvests credentials from local FTP client softwares (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Manipulates memory of a non-child process indicative of process injection (50 out of 54 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1324 manipulating memory of non-child process 2040
Process injection	Process 3360 manipulating memory of non-child process 3420
Process injection	Process 1816 manipulating memory of non-child process 4100
Process injection	Process 4232 manipulating memory of non-child process 4292
Process injection	Process 4600 manipulating memory of non-child process 4664
Process injection	Process 4168 manipulating memory of non-child process 5116
Process injection	Process 796 manipulating memory of non-child process 4984
Process injection	Process 5476 manipulating memory of non-child process 5552
Process injection	Process 6120 manipulating memory of non-child process 5212
Process injection	Process 6120 manipulating memory of non-child process 5068
Process injection	Process 5708 manipulating memory of non-child process 5516
Process injection	Process 5708 manipulating memory of non-child process 5924
Process injection	Process 1552 manipulating memory of non-child process 5332
Process injection	Process 1552 manipulating memory of non-child process 1364
Process injection	Process 6548 manipulating memory of non-child process 6660
Process injection	Process 6548 manipulating memory of non-child process 6236
Process injection	Process 1708 manipulating memory of non-child process 7064
1619974649.429751 NtAllocateVirtualMemory	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974649.429751 NtAllocateVirtualMemory	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974652.445874 NtAllocateVirtualMemory	process_identifier: 3420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974652.445874 NtAllocateVirtualMemory	process_identifier: 3420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974665.929374 NtAllocateVirtualMemory	process_identifier: 4100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974665.929374 NtAllocateVirtualMemory	process_identifier: 4100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974666.961751 NtAllocateVirtualMemory	process_identifier: 4292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974666.961751 NtAllocateVirtualMemory	process_identifier: 4292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974669.898874 NtAllocateVirtualMemory	process_identifier: 4664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974669.898874 NtAllocateVirtualMemory	process_identifier: 4664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974687.617751 NtAllocateVirtualMemory	process_identifier: 5116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x0000023c allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974687.617751 NtAllocateVirtualMemory	process_identifier: 5116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x0000023c allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974689.586874 NtAllocateVirtualMemory	process_identifier: 4984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974689.586874 NtAllocateVirtualMemory	process_identifier: 4984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974695.054999 NtAllocateVirtualMemory	process_identifier: 5552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974695.054999 NtAllocateVirtualMemory	process_identifier: 5552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974703.492626 NtAllocateVirtualMemory	process_identifier: 5212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974703.492626 NtAllocateVirtualMemory	process_identifier: 5212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974703.898626 NtAllocateVirtualMemory	process_identifier: 5068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000254 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974703.898626 NtAllocateVirtualMemory	process_identifier: 5068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000254 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974709.632501 NtAllocateVirtualMemory	process_identifier: 5516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974709.632501 NtAllocateVirtualMemory	process_identifier: 5516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974710.054501 NtAllocateVirtualMemory	process_identifier: 5924 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000254 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974710.054501 NtAllocateVirtualMemory	process_identifier: 5924 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000254 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974720.446124 NtAllocateVirtualMemory	process_identifier: 5332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974720.446124 NtAllocateVirtualMemory	process_identifier: 5332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974720.774124 NtAllocateVirtualMemory	process_identifier: 1364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000254 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974720.774124 NtAllocateVirtualMemory	process_identifier: 1364 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000254 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974733.882751 NtAllocateVirtualMemory	process_identifier: 6660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974733.882751 NtAllocateVirtualMemory	process_identifier: 6660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974733.914751 NtAllocateVirtualMemory	process_identifier: 6236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000254 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0
1619974733.914751 NtAllocateVirtualMemory	process_identifier: 6236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000254 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000b0000	success	0	0
1619974740.712124 NtAllocateVirtualMemory	process_identifier: 7064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000240 allocation_type: 4096 (MEM_COMMIT) base_address: 0x000a0000	success	0	0

Harvests credentials from local email clients (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Attempts to remove evidence of file being downloaded from the Internet (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\DETRYKDTU.exe:Zone.Identifier

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

MicroWorld-eScan	Trojan.GenericKD.43328932
FireEye	Generic.mg.e80514ca1a42e6f2
CAT-QuickHeal	Trojan.Multi
McAfee	Fareit-FVK!E80514CA1A42
Malwarebytes	Spyware.AgentTesla
Zillya	Trojan.Kryptik.Win32.2052366
Sangfor	Malware
K7AntiVirus	Trojan ( 0056081c1 )
Alibaba	TrojanPSW:MSIL/Occamy.c29161f1
K7GW	Trojan ( 0056081c1 )
Cybereason	malicious.a1a42e
Invincea	heuristic
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:InjectorX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.43328932
NANO-Antivirus	Trojan.Win32.KillProc2.hlbwpc
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Agensla.i!c
Rising	Trojan.Kryptik!8.8 (CLOUD)
Endgame	malicious (high confidence)
Emsisoft	Trojan.GenericKD.43328932 (B)
F-Secure	Trojan.TR/AD.AgentTesla.knzhx
DrWeb	Trojan.KillProc2.10940
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.MSIL.MALREP.THFADBO
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
SentinelOne	DFI - Malicious PE
Cyren	W32/Trojan.UMQW-7669
Jiangmin	Trojan.PSW.MSIL.admz
Avira	TR/AD.AgentTesla.knzhx
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Microsoft	Trojan:Win32/Occamy.CAC
Arcabit	Trojan.Generic.D29525A4
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.43328932
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Generic.C3983060
Acronis	suspicious
ALYac	Trojan.GenericKD.43328932
MAX	malware (ai score=82)
Ad-Aware	Trojan.GenericKD.43328932
Cylance	Unsafe
ESET-NOD32	a variant of MSIL/Kryptik.WOX
TrendMicro-HouseCall	Trojan.MSIL.MALREP.THFADBO
Tencent	Msil.Trojan-qqpass.Qqrob.Aihp
Yandex	Trojan.Kryptik!evg0Ml2u7c0
Ikarus	Trojan.MSIL.Crypt

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-06-12 23:16:04

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 172.217.160.78	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62912	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.