SmartHawk

12.6

0-day

57 个模型检测该样本为恶意！

重新分析

下载样本

b5f9a952c4009061a21147103fc6d762c60e070fc588cab92846fc1c29679715

f13aa37174903d14951c141da29ec4bc.exe

分析耗时

130s

最近分析

文件大小

625.5KB

静态报毒动态报毒 AGEN AI SCORE=81 AIDETECTVM ALI2000015 ANDROM ARTEMIS AXEF BUDY9M CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS DZTA EMWU EMZL FAREIT FILEREPMALWARE GRAFTOR HIGH CONFIDENCE HQPGMA IGENT KRYPTIK LOKIBOT MALREP MALWARE2 MALWARE@#1QGNT4GTQL27B NETWIRE NMGFAUAWW9BI SCORE SIGGEN2 SUSGEN THJOGBO TSCOPE UNSAFE WBKW X2094 ZELPHIF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/DelfInject.ali2000015	20190527	0.3.0.5
Avast	Win32:Malware-gen	20201228	21.1.5827.0
Baidu		20190318	1.0.0.2
McAfee	Artemis!F13AA3717490	20201228	6.0.6.653
Tencent	Win32.Trojan.Injector.Dzta	20201228	1.0.0.1
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Checks if process is being debugged by a debugger (50 out of 53 个事件)

Time & API	Arguments	Status	Return	Repeated
1620016700.225125 IsDebuggerPresent		failed	0	0
1620016700.272125 IsDebuggerPresent		failed	0	0
1620016713.335125 IsDebuggerPresent		failed	0	0
1620016713.413125 IsDebuggerPresent		failed	0	0
1620016713.444125 IsDebuggerPresent		failed	0	0
1620016713.897125 IsDebuggerPresent		failed	0	0
1620016713.913125 IsDebuggerPresent		failed	0	0
1620016714.038125 IsDebuggerPresent		failed	0	0
1620016714.163125 IsDebuggerPresent		failed	0	0
1620016716.132125 IsDebuggerPresent		failed	0	0
1620016717.960125 IsDebuggerPresent		failed	0	0
1620016721.850125 IsDebuggerPresent		failed	0	0
1620016722.663125 IsDebuggerPresent		failed	0	0
1620016723.288125 IsDebuggerPresent		failed	0	0
1620016723.288125 IsDebuggerPresent		failed	0	0
1620016728.585125 IsDebuggerPresent		failed	0	0
1620016731.475125 IsDebuggerPresent		failed	0	0
1620016734.225125 IsDebuggerPresent		failed	0	0
1620016741.663125 IsDebuggerPresent		failed	0	0
1620016742.053125 IsDebuggerPresent		failed	0	0
1620016690.60025 IsDebuggerPresent		failed	0	0
1620016690.60025 IsDebuggerPresent		failed	0	0
1620016690.66325 IsDebuggerPresent		failed	0	0
1620016700.960625 IsDebuggerPresent		failed	0	0
1620016701.194625 IsDebuggerPresent		failed	0	0
1620016715.257625 IsDebuggerPresent		failed	0	0
1620016715.507625 IsDebuggerPresent		failed	0	0
1620016715.507625 IsDebuggerPresent		failed	0	0
1620016715.694625 IsDebuggerPresent		failed	0	0
1620016715.710625 IsDebuggerPresent		failed	0	0
1620016715.835625 IsDebuggerPresent		failed	0	0
1620016717.038625 IsDebuggerPresent		failed	0	0
1620016717.085625 IsDebuggerPresent		failed	0	0
1620016718.710625 IsDebuggerPresent		failed	0	0
1620016729.053625 IsDebuggerPresent		failed	0	0
1620016730.460625 IsDebuggerPresent		failed	0	0
1620016730.553625 IsDebuggerPresent		failed	0	0
1620016732.241625 IsDebuggerPresent		failed	0	0
1620016733.225625 IsDebuggerPresent		failed	0	0
1620016735.288625 IsDebuggerPresent		failed	0	0
1620016746.600625 IsDebuggerPresent		failed	0	0
1620016750.163625 IsDebuggerPresent		failed	0	0
1620016750.647625 IsDebuggerPresent		failed	0	0
1620016694.616125 IsDebuggerPresent		failed	0	0
1620016694.96075 IsDebuggerPresent		failed	0	0
1620016695.02275 IsDebuggerPresent		failed	0	0
1620016695.22575 IsDebuggerPresent		failed	0	0
1620016743.36572 IsDebuggerPresent		failed	0	0
1620016743.49072 IsDebuggerPresent		failed	0	0
1620016735.443845 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 个事件)

file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619999685.035436 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620016749.725125 __exception__	stacktrace: 0xa92e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 registers.r14: 993515703808 registers.r9: 0 registers.rcx: 1372 registers.rsi: -6148914691236517206 registers.r10: 0 registers.rbx: 255585392 registers.rdi: 17302540 registers.r11: 255589312 registers.r8: 2009563532 registers.rdx: 1396 registers.rbp: 255585248 registers.r15: 255585752 registers.r12: 255586152 registers.rsp: 255585112 registers.rax: 11087360 registers.r13: 993516650496 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa92e04	success	0	0
1620016752.975625 __exception__	stacktrace: registers.r14: 3748347153920 registers.r9: 0 registers.rcx: 1244 registers.rsi: -6148914691236517206 registers.r10: 0 registers.rbx: 254996144 registers.rdi: 17302540 registers.r11: 255000064 registers.r8: 2009563532 registers.rdx: 1308 registers.rbp: 254996000 registers.r15: 254996504 registers.r12: 254996904 registers.rsp: 254995848 registers.rax: 11021824 registers.r13: 3748348100608 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0	success	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (18 个事件)

Time & API	Arguments	Status
1619999683.801436 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e0000	success
1619999684.082436 NtProtectVirtualMemory	process_identifier: 368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00475000	success
1619999684.082436 NtAllocateVirtualMemory	process_identifier: 368 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00680000	success
1620016690.1165 NtAllocateVirtualMemory	process_identifier: 192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x01d20000	success
1620016690.1635 NtProtectVirtualMemory	process_identifier: 192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00475000	success
1620016690.1635 NtAllocateVirtualMemory	process_identifier: 192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01d60000	success
1620016690.991125 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00930000	success
1620016690.991125 NtProtectVirtualMemory	process_identifier: 3164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00475000	success
1620016690.991125 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00970000	success
1620016695.335125 NtAllocateVirtualMemory	process_identifier: 3420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003e0000	success
1620016696.007125 NtProtectVirtualMemory	process_identifier: 3420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00475000	success
1620016696.007125 NtAllocateVirtualMemory	process_identifier: 3420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00640000	success
1620016729.94397 NtAllocateVirtualMemory	process_identifier: 3996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d0000	success
1620016729.95997 NtProtectVirtualMemory	process_identifier: 3996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00475000	success
1620016729.95997 NtAllocateVirtualMemory	process_identifier: 3996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00530000	success
1620016740.67947 NtAllocateVirtualMemory	process_identifier: 3480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003d0000	success
1620016740.71047 NtProtectVirtualMemory	process_identifier: 3480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00475000	success
1620016740.71047 NtAllocateVirtualMemory	process_identifier: 3480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00530000	success

An application raised an exception which may be indicative of an exploit crash (4 个事件)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2228 crashed
Application Crash	Process chrome.exe with pid 3280 crashed
1620016749.725125 __exception__	stacktrace: 0xa92e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 registers.r14: 993515703808 registers.r9: 0 registers.rcx: 1372 registers.rsi: -6148914691236517206 registers.r10: 0 registers.rbx: 255585392 registers.rdi: 17302540 registers.r11: 255589312 registers.r8: 2009563532 registers.rdx: 1396 registers.rbp: 255585248 registers.r15: 255585752 registers.r12: 255586152 registers.rsp: 255585112 registers.rax: 11087360 registers.r13: 993516650496 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xa92e04	success	0	0
1620016752.975625 __exception__	stacktrace: registers.r14: 3748347153920 registers.r9: 0 registers.rcx: 1244 registers.rsi: -6148914691236517206 registers.r10: 0 registers.rbx: 254996144 registers.rdi: 17302540 registers.r11: 255000064 registers.r8: 2009563532 registers.rdx: 1308 registers.rbp: 254996000 registers.r15: 254996504 registers.r12: 254996904 registers.rsp: 254995848 registers.rax: 11021824 registers.r13: 3748348100608 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0	success	0	0

Steals private information from local Internet browsers (26 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-608F29E6-CD0.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-608F29E4-8B4.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\old_GPUCache_000
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF6f3aab.TMP
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index

Creates (office) documents on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Caixa.pdf

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 个事件)

Time & API	Arguments	Status	Return
1620016690.1945 Process32NextW	process_name: f13aa37174903d14951c141da29ec4bc.exe snapshot_handle: 0x000000f4 process_identifier: 428	success	1
1620016690.1945 Process32NextW	process_name: chrome.exe snapshot_handle: 0x000000f4 process_identifier: 3080	success	1
1620016727.7105 Process32NextW	process_name: chrome.exe snapshot_handle: 0x00000448 process_identifier: 3280	success	1
1620016727.7105 Process32NextW	process_name: Host.exe snapshot_handle: 0x00000448 process_identifier: 3420	success	1
1620016727.7105 Process32NextW	process_name: dllhost.exe snapshot_handle: 0x00000448 process_identifier: 3940	success	1
1620016696.007125 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f4 process_identifier: 3520	success	1
1620016729.95997 Process32NextW	process_name: f13aa37174903d14951c141da29ec4bc.exe snapshot_handle: 0x000000f4 process_identifier: 3996	success	1
1620016729.95997 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000f4 process_identifier: 4064	success	1
1620016740.74147 Process32NextW	process_name: chrome.exe snapshot_handle: 0x000000f4 process_identifier: 4080	success	1

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.87853888043798

section

{'size_of_data': '0x00098000', 'virtual_address': '0x00083000', 'entropy': 7.87853888043798, 'name': 'UPX1', 'virtual_size': '0x00098000'}

description

A section with a high entropy has been found

entropy

0.9735788630904724

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (3 个事件)

process	f13aa37174903d14951c141da29ec4bc.exe
process	searchindexer.exe
process	host.exe

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	43.226.229.43

Installs itself for autorun at Windows startup (2 个事件)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NetWire				reg_value	C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NetWire				reg_value	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f13aa37174903d14951c141da29ec4bc.exe

Creates known Netwire files, registry keys and/or mutexes (1 个事件)

regkey

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NetWire

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 368 called NtSetContextThread to modify thread in remote process 428
Process injection	Process 3164 called NtSetContextThread to modify thread in remote process 3320
Process injection	Process 3996 called NtSetContextThread to modify thread in remote process 2764
1619999685.160436 NtSetContextThread	thread_handle: 0x000000fc registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 428	success	0	0
1620016691.428125 NtSetContextThread	thread_handle: 0x00000114 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3320	success	0	0
1620016734.86597 NtSetContextThread	thread_handle: 0x000000fc registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2764	success	0	0

One or more non-safelisted processes were created (5 个事件)

parent_process	chrome.exe	martian_process	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef23c4f50,0x7fef23c4f60,0x7fef23c4f70
parent_process	chrome.exe	martian_process	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,2818024349387557598,6441002237860518477,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1048 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef23c4f50,0x7fef23c4f60,0x7fef23c4f70
parent_process	chrome.exe	martian_process	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,15413193236887919189,2803694855300359941,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1072 /prefetch:2
parent_process	chrome.exe	martian_process	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef23c4f50,0x7fef23c4f60,0x7fef23c4f70

Resumed a suspended thread in a remote process potentially indicative of process injection (13 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 368 resumed a thread in remote process 428
Process injection	Process 3080 resumed a thread in remote process 2228
Process injection	Process 3164 resumed a thread in remote process 3320
Process injection	Process 3392 resumed a thread in remote process 3280
Process injection	Process 3996 resumed a thread in remote process 2764
1619999685.426436 NtResumeThread	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 428	success	0	0
1620016757.38225 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 2228	success	0	0
1620016759.28825 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 2228	success	0	0
1620016693.350125 NtResumeThread	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 3320	success	0	0
1620016757.21075 NtResumeThread	thread_handle: 0x000000000000010c suspend_count: 2 process_identifier: 3280	success	0	0
1620016758.88275 NtResumeThread	thread_handle: 0x000000000000010c suspend_count: 2 process_identifier: 3280	success	0	0
1620016759.89775 NtResumeThread	thread_handle: 0x000000000000010c suspend_count: 2 process_identifier: 3280	success	0	0
1620016736.61597 NtResumeThread	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2764	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

43.226.229.43:2030

Executed a process and injected code into it, probably while unpacking (49 个事件)

Time & API	Arguments	Status	Return
1619999685.114436 CreateProcessInternalW	thread_identifier: 2368 thread_handle: 0x000001a8 process_identifier: 2228 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Program Files\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\ADMINI~1.OSK\AppData\Local\Temp\Caixa.pdf filepath_r: C:\Program Files\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000001b0 inherit_handles: 0	success	1
1619999685.145436 CreateProcessInternalW	thread_identifier: 392 thread_handle: 0x000000fc process_identifier: 428 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f13aa37174903d14951c141da29ec4bc.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000104 inherit_handles: 0	success	1
1619999685.145436 NtUnmapViewOfSection	process_identifier: 428 region_size: 4096 process_handle: 0x00000104 base_address: 0x00400000	success	0
1619999685.160436 NtMapViewOfSection	section_handle: 0x0000018c process_identifier: 428 commit_size: 208896 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000104 allocation_type: 0 () section_offset: 0 view_size: 208896 base_address: 0x00400000	success	0
1619999685.160436 NtGetContextThread	thread_handle: 0x000000fc	success	0
1619999685.160436 NtSetContextThread	thread_handle: 0x000000fc registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 428	success	0
1619999685.426436 NtResumeThread	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 428	success	0
1619999685.582436 CreateProcessInternalW	thread_identifier: 1380 thread_handle: 0x00000190 process_identifier: 192 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f13aa37174903d14951c141da29ec4bc.exe" 2 428 7288312 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000110 inherit_handles: 0	success	1
1620016689.694125 NtResumeThread	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 2228	success	0
1620016690.053125 CreateProcessInternalW	thread_identifier: 3084 thread_handle: 0x00000000000000c0 process_identifier: 3080 current_directory: filepath: C:\Program Files\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef23c4f50,0x7fef23c4f60,0x7fef23c4f70 filepath_r: C:\Program Files\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000000000000c4 inherit_handles: 1	success	1
1620016749.288125 CreateProcessInternalW	thread_identifier: 1760 thread_handle: 0x0000000000000578 process_identifier: 1752 current_directory: filepath: C:\Program Files\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,15413193236887919189,2803694855300359941,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1072 /prefetch:2 filepath_r: C:\Program Files\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000000000000574 inherit_handles: 1	success	1
1620016690.694875 CreateProcessInternalW	thread_identifier: 3168 thread_handle: 0x0000021c process_identifier: 3164 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x0000029c inherit_handles: 0	success	1
1620016728.2885 CreateProcessInternalW	thread_identifier: 4000 thread_handle: 0x0000044c process_identifier: 3996 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f13aa37174903d14951c141da29ec4bc.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f13aa37174903d14951c141da29ec4bc.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000450 inherit_handles: 0	success	1
1620016690.97525 NtResumeThread	thread_handle: 0x000000000000011c suspend_count: 1 process_identifier: 3080	success	0
1620016750.94425 NtGetContextThread	thread_handle: 0x0000000000000140	success	0
1620016757.38225 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 2228	success	0
1620016757.38225 NtGetContextThread	thread_handle: 0x0000000000000140	success	0
1620016759.28825 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 2228	success	0
1620016759.28825 NtGetContextThread	thread_handle: 0x0000000000000140	success	0
1620016691.272125 CreateProcessInternalW	thread_identifier: 3284 thread_handle: 0x000001ac process_identifier: 3280 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Program Files\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\ADMINI~1.OSK\AppData\Local\Temp\Caixa.pdf filepath_r: C:\Program Files\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000001a8 inherit_handles: 0	success	1
1620016691.428125 CreateProcessInternalW	thread_identifier: 3324 thread_handle: 0x00000114 process_identifier: 3320 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000010c inherit_handles: 0	success	1
1620016691.428125 NtUnmapViewOfSection	process_identifier: 3320 region_size: 4096 process_handle: 0x0000010c base_address: 0x00400000	success	0
1620016691.428125 NtMapViewOfSection	section_handle: 0x00000100 process_identifier: 3320 commit_size: 208896 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x0000010c allocation_type: 0 () section_offset: 0 view_size: 208896 base_address: 0x00400000	success	0
1620016691.428125 NtGetContextThread	thread_handle: 0x00000114	success	0
1620016691.428125 NtSetContextThread	thread_handle: 0x00000114 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3320	success	0
1620016693.350125 NtResumeThread	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 3320	success	0
1620016694.522125 CreateProcessInternalW	thread_identifier: 3424 thread_handle: 0x00000108 process_identifier: 3420 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Install\Host.exe" 2 3320 7292093 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x0000013c inherit_handles: 0	success	1
1620016692.428625 NtResumeThread	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 3280	success	0
1620016694.507625 CreateProcessInternalW	thread_identifier: 3396 thread_handle: 0x00000000000000c0 process_identifier: 3392 current_directory: filepath: C:\Program Files\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef23c4f50,0x7fef23c4f60,0x7fef23c4f70 filepath_r: C:\Program Files\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000000000000c4 inherit_handles: 1	success	1
1620016752.944625 CreateProcessInternalW	thread_identifier: 2952 thread_handle: 0x0000000000000518 process_identifier: 2956 current_directory: filepath: C:\Program Files\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,2818024349387557598,6441002237860518477,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1048 /prefetch:2 filepath_r: C:\Program Files\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000000000000051c inherit_handles: 1	success	1
1620016695.27275 NtResumeThread	thread_handle: 0x00000000000000dc suspend_count: 1 process_identifier: 3392	success	0
1620016753.78875 NtGetContextThread	thread_handle: 0x000000000000010c	success	0
1620016757.21075 NtResumeThread	thread_handle: 0x000000000000010c suspend_count: 2 process_identifier: 3280	success	0
1620016757.21075 NtGetContextThread	thread_handle: 0x000000000000010c	success	0
1620016758.88275 NtResumeThread	thread_handle: 0x000000000000010c suspend_count: 2 process_identifier: 3280	success	0
1620016758.88275 NtGetContextThread	thread_handle: 0x000000000000010c	success	0
1620016759.89775 NtResumeThread	thread_handle: 0x000000000000010c suspend_count: 2 process_identifier: 3280	success	0
1620016759.91375 NtGetContextThread	thread_handle: 0x000000000000010c	success	0
1620016732.53797 CreateProcessInternalW	thread_identifier: 4084 thread_handle: 0x000001ac process_identifier: 4080 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Program Files\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\ADMINI~1.OSK\AppData\Local\Temp\Caixa.pdf filepath_r: C:\Program Files\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000001a8 inherit_handles: 0	success	1
1620016734.83497 CreateProcessInternalW	thread_identifier: 2128 thread_handle: 0x000000fc process_identifier: 2764 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f13aa37174903d14951c141da29ec4bc.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000104 inherit_handles: 0	success	1
1620016734.83497 NtUnmapViewOfSection	process_identifier: 2764 region_size: 4096 process_handle: 0x00000104 base_address: 0x00400000	success	0
1620016734.84997 NtMapViewOfSection	section_handle: 0x00000108 process_identifier: 2764 commit_size: 208896 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: process_handle: 0x00000104 allocation_type: 0 () section_offset: 0 view_size: 208896 base_address: 0x00400000	success	0
1620016734.86597 NtGetContextThread	thread_handle: 0x000000fc	success	0
1620016734.86597 NtSetContextThread	thread_handle: 0x000000fc registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4203565 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2764	success	0
1620016736.61597 NtResumeThread	thread_handle: 0x000000fc suspend_count: 1 process_identifier: 2764	success	0
1620016737.59997 CreateProcessInternalW	thread_identifier: 3484 thread_handle: 0x00000110 process_identifier: 3480 current_directory: filepath: track: 1 command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f13aa37174903d14951c141da29ec4bc.exe" 2 2764 7334437 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) process_handle: 0x00000100 inherit_handles: 0	success	1
1620016733.94372 NtResumeThread	thread_handle: 0x0000000000000078 suspend_count: 1 process_identifier: 4080	success	0
1620016734.63172 CreateProcessInternalW	thread_identifier: 3224 thread_handle: 0x00000000000000c0 process_identifier: 3228 current_directory: filepath: C:\Program Files\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef23c4f50,0x7fef23c4f60,0x7fef23c4f70 filepath_r: C:\Program Files\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000000000000c4 inherit_handles: 1	success	1
1620016735.756845 NtResumeThread	thread_handle: 0x00000000000000d8 suspend_count: 1 process_identifier: 3228	success	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Siggen2.53590
MicroWorld-eScan	Gen:Variant.Graftor.810042
FireEye	Generic.mg.f13aa37174903d14
ALYac	Gen:Variant.Graftor.810042
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/DelfInject.ali2000015
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.174903
Arcabit	Trojan.Graftor.DC5C3A
BitDefenderTheta	Gen:NN.ZelphiF.34700.NmGfauAwW9bi
Cyren	W32/Injector.WBKW-0758
Symantec	Trojan Horse
ESET-NOD32	a variant of Win32/Injector.EMWU
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan.Win32.Kryptik.aqw
BitDefender	Gen:Variant.Graftor.810042
NANO-Antivirus	Trojan.Win32.Kryptik.hqpgma
Paloalto	generic.ml
AegisLab	Trojan.Multi.Generic.4!c
Rising	Trojan.Injector!1.C961 (CLASSIC)
Ad-Aware	Gen:Variant.Graftor.810042
Emsisoft	Gen:Variant.Graftor.810042 (B)
Comodo	Malware@#1qgnt4gtql27b
F-Secure	Heuristic.HEUR/AGEN.1139633
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.Win32.MALREP.THJOGBO
McAfee-GW-Edition	Fareit-FPQ!8DE130B47BB7
Sophos	Mal/Generic-S
Ikarus	Trojan.Inject
Jiangmin	Backdoor.Androm.axef
eGambit	Unsafe.AI_Score_97%
Avira	HEUR/AGEN.1139633
Antiy-AVL	Trojan/Win32.Generic
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:Win32/Fareit.VD!MTB
ZoneAlarm	Trojan.Win32.Kryptik.aqw
GData	Gen:Variant.Graftor.810042
Cynet	Malicious (score: 100)
AhnLab-V3	Suspicious/Win.Delphiless.X2094
McAfee	Artemis!F13AA3717490
MAX	malware (ai score=81)
VBA32	TScope.Trojan.Delf
Malwarebytes	Spyware.LokiBot
TrendMicro-HouseCall	Trojan.Win32.MALREP.THJOGBO
Tencent	Win32.Trojan.Injector.Dzta
Yandex	Trojan.Igent.bUdY9M.31

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:

• 0x51ee8c LoadLibraryA

• 0x51ee90 GetProcAddress

• 0x51ee94 VirtualProtect

• 0x51ee98 VirtualAlloc

• 0x51ee9c VirtualFree

• 0x51eea0 ExitProcess

Library advapi32.dll:

• 0x51eea8 RegCloseKey

Library comctl32.dll:

• 0x51eeb0 ImageList_Add

Library comdlg32.dll:

• 0x51eeb8 GetOpenFileNameA

Library gdi32.dll:

• 0x51eec0 SaveDC

Library ole32.dll:

• 0x51eec8 OleDraw

Library oleaut32.dll:

• 0x51eed0 VariantCopy

Library user32.dll:

• 0x51eed8 GetDC

Library version.dll:

• 0x51eee0 VerQueryValueA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.