10.6
0-day
56 个模型检测该样本为恶意!
重新分析
更多

53e4f5df0428b043d69593a2875bace25b99e5f2b9f7fc7630a4f8ef5b75251f

f3e08bc3e89bfac7262d91276334f066.exe

分析耗时

119s

最近分析

文件大小

6.2MB
静态报毒 动态报毒 @JW@AINZZ@HI AGEN AGENTTESLA AI SCORE=82 AIDETECTVM AUTOKMS AVSARHER BS1QXV CONFIDENCE DELF DELPHILESS EEQQ ELDORADO ELWE ELXR EQJZ FAREIT GENERIC@ML HIGH CONFIDENCE HKBZVH JAB9X8ZEM KRYPTIK LZRT MALWARE2 MALWARE@#1LAGU04DI490L ORCUS R + MAL R03BC0CJT20 RDMK RYPQZHA SCORE STATIC AI SUSPICIOUS PE TRJGEN TSCOPE TSGENERIC UNSAFE X2059 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:Win32/Kryptik.1f868141 20190527 0.3.0.5
Avast Win32:Malware-gen 20201210 21.1.5827.0
Tencent Win32.Trojan.Kryptik.Eeqq 20201211 1.0.0.1
Baidu 20190318 1.0.0.2
McAfee Fareit-FTB!F3E08BC3E89B 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (4 个事件)
Time & API Arguments Status Return Repeated
1620830800.942021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620830803.942021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620830804.879021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620830805.004021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1620830779.786021
IsDebuggerPresent
failed 0 0
1620830803.223021
IsDebuggerPresent
failed 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (10 个事件)
Time & API Arguments Status Return Repeated
1620831202.626125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40959544
registers.edi: 0
registers.eax: 0
registers.ebp: 40959880
registers.edx: 53
registers.ebx: 0
registers.esi: 0
registers.ecx: 626
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b5 90 00 00 e9
exception.symbol: f3e08bc3e89bfac7262d91276334f066+0x57950
exception.instruction: div eax
exception.module: f3e08bc3e89bfac7262d91276334f066.exe
exception.exception_code: 0xc0000094
exception.offset: 358736
exception.address: 0x457950
success 0 0
1620831210.9705
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x747ae97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x747aea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x747ab25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x747ab4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x747aac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x747aaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x747a5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x747a559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74fd7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74fd4de3
f3e08bc3e89bfac7262d91276334f066+0xf2a4d @ 0x4f2a4d
f3e08bc3e89bfac7262d91276334f066+0xeb254 @ 0x4eb254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb914ad
success 0 0
1620831209.611375
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 54984248
registers.edi: 0
registers.eax: 0
registers.ebp: 54984584
registers.edx: 53
registers.ebx: 0
registers.esi: 0
registers.ecx: 595
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b5 90 00 00 e9
exception.symbol: f3e08bc3e89bfac7262d91276334f066+0x57950
exception.instruction: div eax
exception.module: f3e08bc3e89bfac7262d91276334f066.exe
exception.exception_code: 0xc0000094
exception.offset: 358736
exception.address: 0x457950
success 0 0
1620831247.87575
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 40107576
registers.edi: 0
registers.eax: 0
registers.ebp: 40107912
registers.edx: 54
registers.ebx: 0
registers.esi: 0
registers.ecx: 845
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b5 90 00 00 e9
exception.symbol: f3e08bc3e89bfac7262d91276334f066+0x57950
exception.instruction: div eax
exception.module: f3e08bc3e89bfac7262d91276334f066.exe
exception.exception_code: 0xc0000094
exception.offset: 358736
exception.address: 0x457950
success 0 0
1620831255.1425
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x74fbe97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x74fbea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x74fbb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x74fbb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x74fbac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x74fbaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x74fb5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x74fb559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75187f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75184de3
f3e08bc3e89bfac7262d91276334f066+0xf2a4d @ 0x4f2a4d
f3e08bc3e89bfac7262d91276334f066+0xeb254 @ 0x4eb254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5014ad
success 0 0
1620831256.3455
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 54066744
registers.edi: 0
registers.eax: 0
registers.ebp: 54067080
registers.edx: 54
registers.ebx: 0
registers.esi: 0
registers.ecx: 345
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b5 90 00 00 e9
exception.symbol: f3e08bc3e89bfac7262d91276334f066+0x57950
exception.instruction: div eax
exception.module: f3e08bc3e89bfac7262d91276334f066.exe
exception.exception_code: 0xc0000094
exception.offset: 358736
exception.address: 0x457950
success 0 0
1620831263.783125
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 55311928
registers.edi: 0
registers.eax: 0
registers.ebp: 55312264
registers.edx: 54
registers.ebx: 0
registers.esi: 0
registers.ecx: 767
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b5 90 00 00 e9
exception.symbol: f3e08bc3e89bfac7262d91276334f066+0x57950
exception.instruction: div eax
exception.module: f3e08bc3e89bfac7262d91276334f066.exe
exception.exception_code: 0xc0000094
exception.offset: 358736
exception.address: 0x457950
success 0 0
1620831272.533125
__exception__
stacktrace: 
CreateFileMappingW+0xe5 OpenFileMappingW-0x29 kernelbase+0xdc73 @ 0x778edc73
GetFileVersion+0xa7 ND_RI2-0x2eb mscoreei+0xe97b @ 0x749ee97b
GetFileVersion+0x1bb ND_RI2-0x1d7 mscoreei+0xea8f @ 0x749eea8f
RegisterShimImplCallback+0x48e5 CLRCreateInstance-0x13e6 mscoreei+0xb25a @ 0x749eb25a
RegisterShimImplCallback+0x4b52 CLRCreateInstance-0x1179 mscoreei+0xb4c7 @ 0x749eb4c7
RegisterShimImplCallback+0x4300 CLRCreateInstance-0x19cb mscoreei+0xac75 @ 0x749eac75
RegisterShimImplCallback+0x4561 CLRCreateInstance-0x176a mscoreei+0xaed6 @ 0x749eaed6
CreateConfigStream+0xc89 _CorExeMain-0x62 mscoreei+0x5511 @ 0x749e5511
_CorExeMain+0x2b _CorExeMain2-0x141 mscoreei+0x559e @ 0x749e559e
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75187f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75184de3
f3e08bc3e89bfac7262d91276334f066+0xf2a4d @ 0x4f2a4d
f3e08bc3e89bfac7262d91276334f066+0xeb254 @ 0x4eb254
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1634372
registers.edi: 2
registers.eax: 1
registers.ebp: 1634412
registers.edx: 228
registers.ebx: 983045
registers.esi: 1634532
registers.ecx: 228
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdc514ad
success 0 0
1620831273.15825
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 55967288
registers.edi: 0
registers.eax: 0
registers.ebp: 55967624
registers.edx: 54
registers.ebx: 0
registers.esi: 0
registers.ecx: 157
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b5 90 00 00 e9
exception.symbol: f3e08bc3e89bfac7262d91276334f066+0x57950
exception.instruction: div eax
exception.module: f3e08bc3e89bfac7262d91276334f066.exe
exception.exception_code: 0xc0000094
exception.offset: 358736
exception.address: 0x457950
success 0 0
1620831276.070359
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 55115320
registers.edi: 0
registers.eax: 0
registers.ebp: 55115656
registers.edx: 54
registers.ebx: 0
registers.esi: 0
registers.ecx: 70
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 b5 90 00 00 e9
exception.symbol: f3e08bc3e89bfac7262d91276334f066+0x57950
exception.instruction: div eax
exception.module: f3e08bc3e89bfac7262d91276334f066.exe
exception.exception_code: 0xc0000094
exception.offset: 358736
exception.address: 0x457950
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (1 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Allocates read-write-execute memory (usually to unpack itself) (50 out of 102 个事件)
Time & API Arguments Status Return Repeated
1620831202.439125
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1620831202.626125
NtProtectVirtualMemory
process_identifier: 2064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00457000
success 0 0
1620831202.642125
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00ad0000
success 0 0
1620831209.1735
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620831209.2205
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x021b0000
success 0 0
1620831209.2205
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02310000
success 0 0
1620831209.2365
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 958464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x021b0000
success 0 0
1620831209.2365
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 925696
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x021b2000
success 0 0
1620831209.7835
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02350000
success 0 0
1620831209.7835
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x024d0000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9085
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620831210.9235
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9235
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620831210.9235
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9235
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1620831210.9235
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00672000
success 0 0
1620831210.9235
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620831209.580375
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1620831209.611375
NtProtectVirtualMemory
process_identifier: 1704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00457000
success 0 0
1620831209.611375
NtAllocateVirtualMemory
process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02440000
success 0 0
1620831247.78275
NtAllocateVirtualMemory
process_identifier: 3272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02240000
success 0 0
1620831247.89175
NtProtectVirtualMemory
process_identifier: 3272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00457000
success 0 0
1620831247.89175
NtAllocateVirtualMemory
process_identifier: 3272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02410000
success 0 0
1620831254.4865
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620831254.5015
NtAllocateVirtualMemory
process_identifier: 3380
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x020e0000
success 0 0
1620831254.5015
NtAllocateVirtualMemory
process_identifier: 3380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02230000
success 0 0
1620831254.5015
NtAllocateVirtualMemory
process_identifier: 3380
region_size: 958464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x020e0000
success 0 0
1620831254.5175
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 925696
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x020e2000
success 0 0
1620831254.5335
NtAllocateVirtualMemory
process_identifier: 3380
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02290000
success 0 0
1620831254.5335
NtAllocateVirtualMemory
process_identifier: 3380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022d0000
success 0 0
1620831254.9865
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fe2000
success 0 0
1620831254.9865
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620831255.0015
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fe2000
success 0 0
1620831255.0015
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1620831255.0015
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fe2000
success 0 0
1620831255.0015
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1620831255.0015
NtProtectVirtualMemory
process_identifier: 3380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fe2000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\signtool.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\KMSAuto x64.exe
Creates a suspicious process (2 个事件)
cmdline "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
cmdline "C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\KMSAuto.tmp" /Y
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\KMSAuto x64.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\signtool.exe
Executes one or more WMI queries (1 个事件)
wmi SELECT ServiceName FROM Win32_NetworkAdapter
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (22 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620831219.500875
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.803393016498045 section {'size_of_data': '0x005c2a00', 'virtual_address': '0x00070000', 'entropy': 7.803393016498045, 'name': '.rsrc', 'virtual_size': '0x005c2904'} description A section with a high entropy has been found
entropy 0.9332331302903252 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process f3e08bc3e89bfac7262d91276334f066.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (7 个事件)
Time & API Arguments Status Return Repeated
1620831202.658125
Process32NextW
process_name: f3e08bc3e89bfac7262d91276334f066.exe
snapshot_handle: 0x000000f0
process_identifier: 2064
failed 0 0
1620831245.876375
Process32NextW
process_name: WmiPrvSE.exe
snapshot_handle: 0x00000518
process_identifier: 3176
failed 0 0
1620831248.15775
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f0
process_identifier: 3368
failed 0 0
1620831262.6895
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000158
process_identifier: 3584
failed 0 0
1620831263.861125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f0
process_identifier: 3672
failed 0 0
1620831275.79825
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000138
process_identifier: 3924
failed 0 0
1620831276.086359
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f0
process_identifier: 4048
failed 0 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 个事件)
Process injection Process 2064 called NtSetContextThread to modify thread in remote process 3000
Process injection Process 3272 called NtSetContextThread to modify thread in remote process 3380
Process injection Process 3608 called NtSetContextThread to modify thread in remote process 3724
Time & API Arguments Status Return Repeated
1620831208.486125
NtSetContextThread
thread_handle: 0x00000228
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6167968
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3000
success 0 0
1620831253.64175
NtSetContextThread
thread_handle: 0x000000f4
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6167968
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3380
success 0 0
1620831270.126125
NtSetContextThread
thread_handle: 0x000000f4
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6167968
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3724
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (6 个事件)
Process injection Process 2064 resumed a thread in remote process 3000
Process injection Process 3272 resumed a thread in remote process 3380
Process injection Process 3608 resumed a thread in remote process 3724
Time & API Arguments Status Return Repeated
1620831208.939125
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 3000
success 0 0
1620831254.21975
NtResumeThread
thread_handle: 0x000000f4
suspend_count: 1
process_identifier: 3380
success 0 0
1620831271.455125
NtResumeThread
thread_handle: 0x000000f4
suspend_count: 1
process_identifier: 3724
success 0 0
Executed a process and injected code into it, probably while unpacking (35 个事件)
Time & API Arguments Status Return Repeated
1620831208.205125
CreateProcessInternalW
thread_identifier: 2136
thread_handle: 0x00000254
process_identifier: 2060
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\KMSAuto x64.exe
track: 1
command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\KMSAuto x64.exe"
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\KMSAuto x64.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000024c
inherit_handles: 0
success 1 0
1620831208.361125
CreateProcessInternalW
thread_identifier: 2504
thread_handle: 0x00000228
process_identifier: 3000
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000021c
inherit_handles: 0
success 1 0
1620831208.361125
NtUnmapViewOfSection
process_identifier: 3000
region_size: 4096
process_handle: 0x0000021c
base_address: 0x00400000
success 0 0
1620831208.361125
NtMapViewOfSection
section_handle: 0x000001b8
process_identifier: 3000
commit_size: 1982464
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000021c
allocation_type: 0 ()
section_offset: 0
view_size: 1982464
base_address: 0x00400000
success 0 0
1620831208.486125
NtGetContextThread
thread_handle: 0x00000228
success 0 0
1620831208.486125
NtSetContextThread
thread_handle: 0x00000228
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6167968
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3000
success 0 0
1620831208.939125
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 3000
success 0 0
1620831209.189125
CreateProcessInternalW
thread_identifier: 3044
thread_handle: 0x000001bc
process_identifier: 1704
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe" 2 3000 14495234
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001ac
inherit_handles: 0
success 1 0
1620830780.364021
NtResumeThread
thread_handle: 0x000000000000012c
suspend_count: 1
process_identifier: 2060
success 0 0
1620830780.598021
CreateProcessInternalW
thread_identifier: 2260
thread_handle: 0x0000000000000114
process_identifier: 200
current_directory:
filepath:
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\KMSAuto.tmp" /Y
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000000000000144
inherit_handles: 1
success 1 0
1620830784.692021
NtResumeThread
thread_handle: 0x0000000000000118
suspend_count: 1
process_identifier: 2060
success 0 0
1620830785.114021
CreateProcessInternalW
thread_identifier: 1176
thread_handle: 0x0000000000000128
process_identifier: 1932
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\signtool.exe" verify /v /ph /sha1 648384a4dee53d4c1c87e10d67cc99307ccc9c98 "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\KMSAuto x64.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000000000000148
inherit_handles: 1
success 1 0
1620830797.036021
CreateProcessInternalW
thread_identifier: 3064
thread_handle: 0x000000000000019c
process_identifier: 1208
current_directory: C:\Windows\System32
filepath:
track: 1
command_line: "wmic.exe" path Win32_NetworkAdapter get ServiceName /value /FORMAT:List
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000000000001ac
inherit_handles: 1
success 1 0
1620830845.567021
NtResumeThread
thread_handle: 0x00000000000001ac
suspend_count: 1
process_identifier: 2060
success 0 0
1620831247.205375
CreateProcessInternalW
thread_identifier: 3276
thread_handle: 0x0000051c
process_identifier: 3272
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000520
inherit_handles: 0
success 1 0
1620831216.672875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1932
success 0 0
1620831219.204875
NtResumeThread
thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 1932
success 0 0
1620831227.844875
NtResumeThread
thread_handle: 0x00000318
suspend_count: 1
process_identifier: 1932
success 0 0
1620831237.141875
NtResumeThread
thread_handle: 0x000002f4
suspend_count: 1
process_identifier: 1932
success 0 0
1620831253.54775
CreateProcessInternalW
thread_identifier: 3384
thread_handle: 0x000000f4
process_identifier: 3380
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000f8
inherit_handles: 0
success 1 0
1620831253.54775
NtUnmapViewOfSection
process_identifier: 3380
region_size: 4096
process_handle: 0x000000f8
base_address: 0x00400000
success 0 0
1620831253.54775
NtMapViewOfSection
section_handle: 0x00000100
process_identifier: 3380
commit_size: 1982464
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000f8
allocation_type: 0 ()
section_offset: 0
view_size: 1982464
base_address: 0x00400000
success 0 0
1620831253.64175
NtGetContextThread
thread_handle: 0x000000f4
success 0 0
1620831253.64175
NtSetContextThread
thread_handle: 0x000000f4
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6167968
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3380
success 0 0
1620831254.21975
NtResumeThread
thread_handle: 0x000000f4
suspend_count: 1
process_identifier: 3380
success 0 0
1620831255.53275
CreateProcessInternalW
thread_identifier: 3448
thread_handle: 0x000000fc
process_identifier: 3444
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe" 2 3380 14540515
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1620831263.3305
CreateProcessInternalW
thread_identifier: 3612
thread_handle: 0x0000015c
process_identifier: 3608
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000160
inherit_handles: 0
success 1 0
1620831269.970125
CreateProcessInternalW
thread_identifier: 3728
thread_handle: 0x000000f4
process_identifier: 3724
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000f8
inherit_handles: 0
success 1 0
1620831269.970125
NtUnmapViewOfSection
process_identifier: 3724
region_size: 4096
process_handle: 0x000000f8
base_address: 0x00400000
success 0 0
1620831269.986125
NtMapViewOfSection
section_handle: 0x00000100
process_identifier: 3724
commit_size: 1982464
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000f8
allocation_type: 0 ()
section_offset: 0
view_size: 1982464
base_address: 0x00400000
success 0 0
1620831270.111125
NtGetContextThread
thread_handle: 0x000000f4
success 0 0
1620831270.126125
NtSetContextThread
thread_handle: 0x000000f4
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 6167968
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3724
success 0 0
1620831271.455125
NtResumeThread
thread_handle: 0x000000f4
suspend_count: 1
process_identifier: 3724
success 0 0
1620831272.501125
CreateProcessInternalW
thread_identifier: 3788
thread_handle: 0x000000fc
process_identifier: 3784
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe" 2 3724 14557750
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1620831275.84525
CreateProcessInternalW
thread_identifier: 3936
thread_handle: 0x0000013c
process_identifier: 3932
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f3e08bc3e89bfac7262d91276334f066.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000140
inherit_handles: 0
success 1 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Agent.EQJZ
FireEye Generic.mg.f3e08bc3e89bfac7
CAT-QuickHeal Trojan.AutoKMS
ALYac Trojan.Agent.EQJZ
Cylance Unsafe
Zillya Trojan.Injector.Win32.736076
Sangfor Malware
K7AntiVirus Trojan ( 005666ff1 )
Alibaba Backdoor:Win32/Kryptik.1f868141
K7GW Trojan ( 005666ff1 )
Cybereason malicious.b2b4e4
Arcabit Trojan.Agent.EQJZ
BitDefenderTheta Gen:NN.ZelphiF.34670.@JW@ainzz@hi
Cyren W32/Injector.ABY.gen!Eldorado
Symantec SMG.Heur!gen
ESET-NOD32 a variant of Win32/Injector.ELWE
APEX Malicious
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.Agent.EQJZ
NANO-Antivirus Trojan.Win32.TrjGen.hkbzvh
Paloalto generic.ml
AegisLab Trojan.Win32.Kryptik.4!c
Tencent Win32.Trojan.Kryptik.Eeqq
Ad-Aware Trojan.Agent.EQJZ
Emsisoft Trojan.Agent.EQJZ (B)
Comodo Malware@#1lagu04di490l
F-Secure Heuristic.HEUR/AGEN.1133569
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R03BC0CJT20
McAfee-GW-Edition BehavesLike.Win32.Fareit.vc
Sophos Mal/Generic-R + Mal/Fareit-AA
SentinelOne Static AI - Suspicious PE
Avira HEUR/AGEN.1133569
Antiy-AVL Trojan/Win32.TSGeneric
Microsoft Backdoor:MSIL/Orcus.A!rfn
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Win32.Trojan.Injector.PA
Cynet Malicious (score: 85)
AhnLab-V3 Suspicious/Win.Delphiless.X2059
McAfee Fareit-FTB!F3E08BC3E89B
MAX malware (ai score=82)
VBA32 TScope.Trojan.Delf
Malwarebytes Spyware.AgentTesla
Zoner Trojan.Win32.66831
TrendMicro-HouseCall TROJ_GEN.R03BC0CJT20
Rising Trojan.Generic@ML.99 (RDMK:JAB9X8zEm/lzRT/RYPqZHA)
Yandex Trojan.AvsArher.bS1qxV
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x464150 VirtualFree
0x464154 VirtualAlloc
0x464158 LocalFree
0x46415c LocalAlloc
0x464160 GetVersion
0x464164 GetCurrentThreadId
0x464170 VirtualQuery
0x464174 WideCharToMultiByte
0x464178 MultiByteToWideChar
0x46417c lstrlenA
0x464180 lstrcpynA
0x464184 LoadLibraryExA
0x464188 GetThreadLocale
0x46418c GetStartupInfoA
0x464190 GetProcAddress
0x464194 GetModuleHandleA
0x464198 GetModuleFileNameA
0x46419c GetLocaleInfoA
0x4641a0 GetCommandLineA
0x4641a4 FreeLibrary
0x4641a8 FindFirstFileA
0x4641ac FindClose
0x4641b0 ExitProcess
0x4641b4 WriteFile
0x4641bc RtlUnwind
0x4641c0 RaiseException
0x4641c4 GetStdHandle
Library user32.dll:
0x4641cc GetKeyboardType
0x4641d0 LoadStringA
0x4641d4 MessageBoxA
0x4641d8 CharNextA
Library advapi32.dll:
0x4641e0 RegQueryValueExA
0x4641e4 RegOpenKeyExA
0x4641e8 RegCloseKey
Library oleaut32.dll:
0x4641f0 SysFreeString
0x4641f4 SysReAllocStringLen
0x4641f8 SysAllocStringLen
Library kernel32.dll:
0x464200 TlsSetValue
0x464204 TlsGetValue
0x464208 LocalAlloc
0x46420c GetModuleHandleA
Library advapi32.dll:
0x464214 RegQueryValueExA
0x464218 RegOpenKeyExA
0x46421c RegCloseKey
Library kernel32.dll:
0x464224 lstrcpyA
0x464228 lstrcmpA
0x46422c WriteFile
0x464230 WaitForSingleObject
0x464234 VirtualQuery
0x464238 VirtualProtect
0x46423c VirtualAlloc
0x464240 Sleep
0x464244 SizeofResource
0x464248 SetThreadLocale
0x46424c SetFilePointer
0x464250 SetEvent
0x464254 SetErrorMode
0x464258 SetEndOfFile
0x46425c ResetEvent
0x464260 ReadFile
0x464264 MulDiv
0x464268 LockResource
0x46426c LoadResource
0x464270 LoadLibraryA
0x46427c GlobalUnlock
0x464280 GlobalReAlloc
0x464284 GlobalHandle
0x464288 GlobalLock
0x46428c GlobalFree
0x464290 GlobalFindAtomA
0x464294 GlobalDeleteAtom
0x464298 GlobalAlloc
0x46429c GlobalAddAtomA
0x4642a0 GetVersionExA
0x4642a4 GetVersion
0x4642a8 GetTickCount
0x4642ac GetThreadLocale
0x4642b4 GetSystemTime
0x4642b8 GetSystemInfo
0x4642bc GetStringTypeExA
0x4642c0 GetStdHandle
0x4642c4 GetProcAddress
0x4642c8 GetModuleHandleA
0x4642cc GetModuleFileNameA
0x4642d0 GetLocaleInfoA
0x4642d4 GetLocalTime
0x4642d8 GetLastError
0x4642dc GetFullPathNameA
0x4642e0 GetDiskFreeSpaceA
0x4642e4 GetDateFormatA
0x4642e8 GetCurrentThreadId
0x4642ec GetCurrentProcessId
0x4642f0 GetCPInfo
0x4642f4 GetACP
0x4642f8 FreeResource
0x4642fc InterlockedExchange
0x464300 FreeLibrary
0x464304 FormatMessageA
0x464308 FindResourceA
0x464310 ExitThread
0x464314 EnumCalendarInfoA
0x464320 CreateThread
0x464324 CreateFileA
0x464328 CreateEventA
0x46432c CompareStringA
0x464330 CloseHandle
Library version.dll:
0x464338 VerQueryValueA
0x464340 GetFileVersionInfoA
Library gdi32.dll:
0x464348 UnrealizeObject
0x46434c StretchBlt
0x464350 SetWindowOrgEx
0x464354 SetViewportOrgEx
0x464358 SetTextColor
0x46435c SetStretchBltMode
0x464360 SetROP2
0x464364 SetPixel
0x464368 SetDIBColorTable
0x46436c SetBrushOrgEx
0x464370 SetBkMode
0x464374 SetBkColor
0x464378 SelectPalette
0x46437c SelectObject
0x464380 SaveDC
0x464384 RestoreDC
0x464388 Rectangle
0x46438c RectVisible
0x464390 RealizePalette
0x464394 PatBlt
0x464398 MoveToEx
0x46439c MaskBlt
0x4643a0 LineTo
0x4643a4 IntersectClipRect
0x4643a8 GetWindowOrgEx
0x4643ac GetTextMetricsA
0x4643b8 GetStockObject
0x4643bc GetPixel
0x4643c0 GetPaletteEntries
0x4643c4 GetObjectA
0x4643c8 GetDeviceCaps
0x4643cc GetDIBits
0x4643d0 GetDIBColorTable
0x4643d4 GetDCOrgEx
0x4643dc GetClipBox
0x4643e0 GetBrushOrgEx
0x4643e4 GetBitmapBits
0x4643e8 ExcludeClipRect
0x4643ec DeleteObject
0x4643f0 DeleteDC
0x4643f4 CreateSolidBrush
0x4643f8 CreatePenIndirect
0x4643fc CreatePalette
0x464404 CreateFontIndirectA
0x464408 CreateDIBitmap
0x46440c CreateDIBSection
0x464410 CreateCompatibleDC
0x464418 CreateBrushIndirect
0x46441c CreateBitmap
0x464420 BitBlt
Library user32.dll:
0x464428 CreateWindowExA
0x46442c WindowFromPoint
0x464430 WinHelpA
0x464434 WaitMessage
0x464438 UpdateWindow
0x46443c UnregisterClassA
0x464440 UnhookWindowsHookEx
0x464444 TranslateMessage
0x46444c TrackPopupMenu
0x464454 ShowWindow
0x464458 ShowScrollBar
0x46445c ShowOwnedPopups
0x464460 ShowCursor
0x464464 SetWindowsHookExA
0x464468 SetWindowTextA
0x46446c SetWindowPos
0x464470 SetWindowPlacement
0x464474 SetWindowLongA
0x464478 SetTimer
0x46447c SetScrollRange
0x464480 SetScrollPos
0x464484 SetScrollInfo
0x464488 SetRect
0x46448c SetPropA
0x464490 SetParent
0x464494 SetMenuItemInfoA
0x464498 SetMenu
0x46449c SetForegroundWindow
0x4644a0 SetFocus
0x4644a4 SetCursor
0x4644a8 SetClassLongA
0x4644ac SetCapture
0x4644b0 SetActiveWindow
0x4644b4 SendMessageA
0x4644b8 ScrollWindow
0x4644bc ScreenToClient
0x4644c0 RemovePropA
0x4644c4 RemoveMenu
0x4644c8 ReleaseDC
0x4644cc ReleaseCapture
0x4644d8 RegisterClassA
0x4644dc RedrawWindow
0x4644e0 PtInRect
0x4644e4 PostQuitMessage
0x4644e8 PostMessageA
0x4644ec PeekMessageA
0x4644f0 OffsetRect
0x4644f4 OemToCharA
0x4644f8 MessageBoxA
0x4644fc MapWindowPoints
0x464500 MapVirtualKeyA
0x464504 LoadStringA
0x464508 LoadKeyboardLayoutA
0x46450c LoadIconA
0x464510 LoadCursorA
0x464514 LoadBitmapA
0x464518 KillTimer
0x46451c IsZoomed
0x464520 IsWindowVisible
0x464524 IsWindowEnabled
0x464528 IsWindow
0x46452c IsRectEmpty
0x464530 IsIconic
0x464534 IsDialogMessageA
0x464538 IsChild
0x46453c InvalidateRect
0x464540 IntersectRect
0x464544 InsertMenuItemA
0x464548 InsertMenuA
0x46454c InflateRect
0x464554 GetWindowTextA
0x464558 GetWindowRect
0x46455c GetWindowPlacement
0x464560 GetWindowLongA
0x464564 GetWindowDC
0x464568 GetTopWindow
0x46456c GetSystemMetrics
0x464570 GetSystemMenu
0x464574 GetSysColorBrush
0x464578 GetSysColor
0x46457c GetSubMenu
0x464580 GetScrollRange
0x464584 GetScrollPos
0x464588 GetScrollInfo
0x46458c GetPropA
0x464590 GetParent
0x464594 GetWindow
0x464598 GetMenuStringA
0x46459c GetMenuState
0x4645a0 GetMenuItemInfoA
0x4645a4 GetMenuItemID
0x4645a8 GetMenuItemCount
0x4645ac GetMenu
0x4645b0 GetLastActivePopup
0x4645b4 GetKeyboardState
0x4645bc GetKeyboardLayout
0x4645c0 GetKeyState
0x4645c4 GetKeyNameTextA
0x4645c8 GetIconInfo
0x4645cc GetForegroundWindow
0x4645d0 GetFocus
0x4645d4 GetDesktopWindow
0x4645d8 GetDCEx
0x4645dc GetDC
0x4645e0 GetCursorPos
0x4645e4 GetCursor
0x4645e8 GetClientRect
0x4645ec GetClassNameA
0x4645f0 GetClassInfoA
0x4645f4 GetCapture
0x4645f8 GetActiveWindow
0x4645fc FrameRect
0x464600 FindWindowA
0x464604 FillRect
0x464608 EqualRect
0x46460c EnumWindows
0x464610 EnumThreadWindows
0x464614 EndPaint
0x464618 EnableWindow
0x46461c EnableScrollBar
0x464620 EnableMenuItem
0x464624 DrawTextA
0x464628 DrawMenuBar
0x46462c DrawIconEx
0x464630 DrawIcon
0x464634 DrawFrameControl
0x464638 DrawFocusRect
0x46463c DrawEdge
0x464640 DispatchMessageA
0x464644 DestroyWindow
0x464648 DestroyMenu
0x46464c DestroyIcon
0x464650 DestroyCursor
0x464654 DeleteMenu
0x464658 DefWindowProcA
0x46465c DefMDIChildProcA
0x464660 DefFrameProcA
0x464664 CreatePopupMenu
0x464668 CreateMenu
0x46466c CreateIcon
0x464670 ClientToScreen
0x464674 CheckMenuItem
0x464678 CallWindowProcA
0x46467c CallNextHookEx
0x464680 BeginPaint
0x464684 CharNextA
0x464688 CharLowerA
0x46468c CharToOemA
0x464690 AdjustWindowRectEx
Library kernel32.dll:
0x46469c Sleep
Library oleaut32.dll:
0x4646a4 SafeArrayPtrOfIndex
0x4646a8 SafeArrayGetUBound
0x4646ac SafeArrayGetLBound
0x4646b0 SafeArrayCreate
0x4646b4 VariantChangeType
0x4646b8 VariantCopy
0x4646bc VariantClear
0x4646c0 VariantInit
Library ole32.dll:
0x4646c8 CoTaskMemAlloc
0x4646cc CoCreateInstance
0x4646d0 CoUninitialize
0x4646d4 CoInitialize
Library comctl32.dll:
0x4646e4 ImageList_Write
0x4646e8 ImageList_Read
0x4646f8 ImageList_DragMove
0x4646fc ImageList_DragLeave
0x464700 ImageList_DragEnter
0x464704 ImageList_EndDrag
0x464708 ImageList_BeginDrag
0x46470c ImageList_Remove
0x464710 ImageList_DrawEx
0x464714 ImageList_Draw
0x464724 ImageList_Add
0x46472c ImageList_Destroy
0x464730 ImageList_Create
0x464734 InitCommonControls
Library winmm.dll:
0x46473c mciSendCommandA
0x464740 mciGetErrorStringA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49188 119.147.227.210 www.download.windowsupdate.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54260 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58070 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 19 Apr 2021 20:17:25 GMT
If-None-Match: "80f8835935d71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.