SmartHawk

9.0

极危

49 个模型检测该样本为恶意！

重新分析

下载样本

c9e3b73cd0bfb2a80b1ac9b3e45272975bdac5ed76ac3f9a5a2e963d82370cca

21ce722319d2e436a23302c488c8e474.exe

分析耗时

83s

最近分析

文件大小

4.9MB

静态报毒动态报毒 @P1@AUGUC8FI AI SCORE=82 ATTRIBUTE CONFIDENCE DANGEROUSSIG DOWNLOADER34 FTAB GENERICKD HACKTOOL HIGHCONFIDENCE HQVU HRYKUL KRYPTIK MALICIOUS PE MIMIKATZ R002C0WHF20 SCARSI SCORE SUSGEN UNCLASSIFIEDMALWARE@0 UNSAFE ZEMSILF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Trojan-FTAB!21CE722319D2	20200908	6.0.6.653
Alibaba	HackTool:Win32/Mimikatz.5b3b7bbf	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_60% (W)	20190702	1.0
Tencent	Msil.Trojan.Scarsi.Hqvu	20200908	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20200908	2013.8.14.323

Queries for the computername (6 个事件)

Time & API	Arguments	Status	Return
1619276706.280875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619276706.311875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619276706.311875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619276706.327875 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619276709.592875 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619276709.592875 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (3 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269224.338662 IsDebuggerPresent		failed	0	0
1619269224.338662 IsDebuggerPresent		failed	0	0
1619276706.717875 IsDebuggerPresent		failed	0	0

Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)

Time & API	Arguments	Status	Return
1619276707.717875 CryptExportKey	crypto_handle: 0x006b00d0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.389875 CryptExportKey	crypto_handle: 0x006aff90 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.389875 CryptExportKey	crypto_handle: 0x006aff90 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.389875 CryptExportKey	crypto_handle: 0x006aff90 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.436875 CryptExportKey	crypto_handle: 0x006aff90 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.436875 CryptExportKey	crypto_handle: 0x006aff90 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.436875 CryptExportKey	crypto_handle: 0x006aff90 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.452875 CryptExportKey	crypto_handle: 0x006aff90 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.483875 CryptExportKey	crypto_handle: 0x006af4d0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.483875 CryptExportKey	crypto_handle: 0x006af4d0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.514875 CryptExportKey	crypto_handle: 0x006af4d0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.514875 CryptExportKey	crypto_handle: 0x006af4d0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.514875 CryptExportKey	crypto_handle: 0x006af4d0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.514875 CryptExportKey	crypto_handle: 0x006af4d0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.764875 CryptExportKey	crypto_handle: 0x006afa10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.764875 CryptExportKey	crypto_handle: 0x006afa10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.764875 CryptExportKey	crypto_handle: 0x006afa10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.780875 CryptExportKey	crypto_handle: 0x006afa10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.780875 CryptExportKey	crypto_handle: 0x006afa10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.780875 CryptExportKey	crypto_handle: 0x006afa10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276708.795875 CryptExportKey	crypto_handle: 0x006afa10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.295875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.295875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.295875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.311875 CryptExportKey	crypto_handle: 0x006af910 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.311875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.311875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.311875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.311875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.311875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.311875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.327875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.389875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.389875 CryptExportKey	crypto_handle: 0x006afdd0 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.467875 CryptExportKey	crypto_handle: 0x006afd10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.467875 CryptExportKey	crypto_handle: 0x006afd10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.467875 CryptExportKey	crypto_handle: 0x006afd10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.483875 CryptExportKey	crypto_handle: 0x006afd10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.483875 CryptExportKey	crypto_handle: 0x006afd10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.483875 CryptExportKey	crypto_handle: 0x006afd10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.498875 CryptExportKey	crypto_handle: 0x006afd10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.545875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.545875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.623875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.623875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.639875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.639875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.639875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.639875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1619276709.639875 CryptExportKey	crypto_handle: 0x006af390 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

This executable is signed

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269224.370662 GlobalMemoryStatusEx		success	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 191 个事件)

Time & API	Arguments	Status	Return
1619269223.776662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00be0000	success	0
1619269223.776662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d30000	success	0
1619269224.088662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x02490000	success	0
1619269224.088662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x025a0000	success	0
1619269224.213662 NtProtectVirtualMemory	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success	0
1619269224.338662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x025e0000	success	0
1619269224.338662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02780000	success	0
1619269224.338662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a5a000	success	0
1619269224.338662 NtProtectVirtualMemory	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success	0
1619269224.338662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a52000	success	0
1619269224.682662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a62000	success	0
1619269224.776662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a95000	success	0
1619269224.776662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a9b000	success	0
1619269224.776662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a97000	success	0
1619269224.870662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a63000	success	0
1619269224.901662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a6c000	success	0
1619269224.932662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bb0000	success	0
1619269225.010662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a64000	success	0
1619269225.010662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a65000	success	0
1619269225.323662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bb1000	success	0
1619269225.338662 NtProtectVirtualMemory	process_identifier: 2864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00000000	failed	3221225496
1619269225.604662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a66000	success	0
1619269227.416662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1a540000	success	0
1619269227.416662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 13049856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1a541000	success	0
1619269228.198662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a67000	success	0
1619269228.307662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a86000	success	0
1619269228.307662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a68000	success	0
1619269228.323662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a69000	success	0
1619269228.416662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1b1b3000	success	0
1619269228.416662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a8a000	success	0
1619269228.416662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a87000	success	0
1619269228.495662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c80000	success	0
1619269228.510662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1b1b4000	success	0
1619269228.541662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1b1b5000	success	0
1619269228.557662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a6d000	success	0
1619269229.573662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c81000	success	0
1619269229.588662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1b1b6000	success	0
1619269229.604662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00a5c000	success	0
1619269229.604662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1b1b9000	success	0
1619269229.838662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00c82000	success	0
1619269229.948662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1b1bd000	success	0
1619269230.057662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1b1be000	success	0
1619269230.073662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x1b1bf000	success	0
1619269230.073662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d10000	success	0
1619269230.088662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d11000	success	0
1619269230.135662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d12000	success	0
1619269237.010662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d13000	success	0
1619269237.010662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d14000	success	0
1619269237.010662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d15000	success	0
1619269247.323662 NtAllocateVirtualMemory	process_identifier: 2864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d16000	success	0

Creates a shortcut to an executable file (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 个事件)

cmdline

"powershell" Get-MpPreference -verbose

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269230.291662 CreateProcessInternalW	thread_identifier: 3000 thread_handle: 0x00000214 process_identifier: 2760 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000220 inherit_handles: 1	success	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619269247.354662 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0
1619276707.592875 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Terminates another process (50 out of 176 个事件)

Time & API	Arguments	Status
1619269247.932662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1948 process_handle: 0x00000238	failed
1619269247.932662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1948 process_handle: 0x00000238	success
1619269248.588662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1760 process_handle: 0x00000248	failed
1619269248.588662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1760 process_handle: 0x00000248	success
1619269249.151662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2448 process_handle: 0x00000250	failed
1619269249.151662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2448 process_handle: 0x00000250	success
1619269249.666662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2604 process_handle: 0x00000258	failed
1619269249.666662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2604 process_handle: 0x00000258	success
1619269250.120662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2252 process_handle: 0x00000260	failed
1619269250.120662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2252 process_handle: 0x00000260	success
1619269250.604662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2040 process_handle: 0x00000268	failed
1619269250.604662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2040 process_handle: 0x00000268	success
1619269251.026662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2200 process_handle: 0x00000270	failed
1619269251.026662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2200 process_handle: 0x00000270	success
1619269251.479662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 200 process_handle: 0x00000278	failed
1619269251.479662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 200 process_handle: 0x00000278	success
1619269251.916662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1632 process_handle: 0x00000280	failed
1619269251.916662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1632 process_handle: 0x00000280	success
1619269252.416662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1244 process_handle: 0x00000288	failed
1619269252.416662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 1244 process_handle: 0x00000288	success
1619269252.838662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 952 process_handle: 0x00000290	failed
1619269252.838662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 952 process_handle: 0x00000290	success
1619269253.291662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2576 process_handle: 0x00000298	failed
1619269253.291662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2576 process_handle: 0x00000298	success
1619269253.791662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2988 process_handle: 0x000002a0	failed
1619269253.791662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 2988 process_handle: 0x000002a0	success
1619269254.245662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3088 process_handle: 0x000002a8	failed
1619269254.245662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3088 process_handle: 0x000002a8	success
1619269254.760662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3152 process_handle: 0x000002b0	failed
1619269254.760662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3152 process_handle: 0x000002b0	success
1619269255.151662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3224 process_handle: 0x000002c0	failed
1619269255.151662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3224 process_handle: 0x000002c0	success
1619269255.870662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3372 process_handle: 0x000002c8	failed
1619269255.870662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3372 process_handle: 0x000002c8	success
1619269256.276662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3432 process_handle: 0x000002d0	failed
1619269256.276662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3432 process_handle: 0x000002d0	success
1619269256.838662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3492 process_handle: 0x000002d8	failed
1619269256.838662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3492 process_handle: 0x000002d8	success
1619269257.291662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3596 process_handle: 0x000002e0	failed
1619269257.291662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3596 process_handle: 0x000002e0	success
1619269258.057662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3672 process_handle: 0x000002e8	failed
1619269258.057662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3672 process_handle: 0x000002e8	success
1619269258.713662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3736 process_handle: 0x000002f0	failed
1619269258.713662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3736 process_handle: 0x000002f0	success
1619269259.385662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3812 process_handle: 0x000002f8	failed
1619269259.385662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3812 process_handle: 0x000002f8	success
1619269259.854662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3896 process_handle: 0x00000300	failed
1619269259.854662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3896 process_handle: 0x00000300	success
1619269260.307662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3956 process_handle: 0x00000308	failed
1619269260.307662 NtTerminateProcess	status_code: 0xffffffff process_identifier: 3956 process_handle: 0x00000308	success

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (50 out of 88 个事件)

Time & API	Arguments	Status	Return
1619269247.495662 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000230 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269248.151662 NtAllocateVirtualMemory	process_identifier: 1760 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000234 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269248.729662 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000244 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269249.338662 NtAllocateVirtualMemory	process_identifier: 2604 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000024c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269249.760662 NtAllocateVirtualMemory	process_identifier: 2252 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000254 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269250.245662 NtAllocateVirtualMemory	process_identifier: 2040 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000025c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269250.713662 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000264 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269251.120662 NtAllocateVirtualMemory	process_identifier: 200 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000026c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269251.588662 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000274 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269252.041662 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000027c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269252.510662 NtAllocateVirtualMemory	process_identifier: 952 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000284 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269252.932662 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000028c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269253.416662 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000294 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269253.885662 NtAllocateVirtualMemory	process_identifier: 3088 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000029c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269254.370662 NtAllocateVirtualMemory	process_identifier: 3152 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269254.838662 NtAllocateVirtualMemory	process_identifier: 3224 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002b8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269255.370662 NtAllocateVirtualMemory	process_identifier: 3372 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002bc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269255.979662 NtAllocateVirtualMemory	process_identifier: 3432 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002c4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269256.354662 NtAllocateVirtualMemory	process_identifier: 3492 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269256.979662 NtAllocateVirtualMemory	process_identifier: 3596 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269257.479662 NtAllocateVirtualMemory	process_identifier: 3672 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269258.229662 NtAllocateVirtualMemory	process_identifier: 3736 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002e4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269258.823662 NtAllocateVirtualMemory	process_identifier: 3812 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002ec allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269259.526662 NtAllocateVirtualMemory	process_identifier: 3896 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269259.963662 NtAllocateVirtualMemory	process_identifier: 3956 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269260.416662 NtAllocateVirtualMemory	process_identifier: 4016 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000304 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269260.870662 NtAllocateVirtualMemory	process_identifier: 4076 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000030c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269261.323662 NtAllocateVirtualMemory	process_identifier: 3132 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000314 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269261.760662 NtAllocateVirtualMemory	process_identifier: 3244 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000031c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269262.213662 NtAllocateVirtualMemory	process_identifier: 3420 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000324 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269262.698662 NtAllocateVirtualMemory	process_identifier: 3524 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000032c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269263.120662 NtAllocateVirtualMemory	process_identifier: 3692 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000334 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269263.557662 NtAllocateVirtualMemory	process_identifier: 3784 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000033c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269263.885662 NtAllocateVirtualMemory	process_identifier: 3908 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000344 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269264.135662 NtAllocateVirtualMemory	process_identifier: 4000 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000034c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269264.729662 NtAllocateVirtualMemory	process_identifier: 3084 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000354 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269265.307662 NtAllocateVirtualMemory	process_identifier: 3252 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000035c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269265.916662 NtAllocateVirtualMemory	process_identifier: 3508 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000364 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269266.370662 NtAllocateVirtualMemory	process_identifier: 3728 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000036c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269266.791662 NtAllocateVirtualMemory	process_identifier: 3844 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000374 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269267.291662 NtAllocateVirtualMemory	process_identifier: 3972 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000037c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269267.838662 NtAllocateVirtualMemory	process_identifier: 3164 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000384 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269268.276662 NtAllocateVirtualMemory	process_identifier: 3472 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000038c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269268.698662 NtAllocateVirtualMemory	process_identifier: 3880 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000394 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269269.151662 NtAllocateVirtualMemory	process_identifier: 4088 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000039c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269269.635662 NtAllocateVirtualMemory	process_identifier: 3448 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269270.104662 NtAllocateVirtualMemory	process_identifier: 3796 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003ac allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269270.510662 NtAllocateVirtualMemory	process_identifier: 3236 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003b4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269270.995662 NtAllocateVirtualMemory	process_identifier: 3804 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003bc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269271.448662 NtAllocateVirtualMemory	process_identifier: 3732 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Installs itself for autorun at Windows startup (2 个事件)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell				reg_value	explorer.exe,"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\21ce722319d2e436a23302c488c8e474.exe				reg_value	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe

Manipulates memory of a non-child process indicative of process injection (50 out of 176 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2864 manipulating memory of non-child process 1948
Process injection	Process 2864 manipulating memory of non-child process 1760
Process injection	Process 2864 manipulating memory of non-child process 2448
Process injection	Process 2864 manipulating memory of non-child process 2604
Process injection	Process 2864 manipulating memory of non-child process 2252
Process injection	Process 2864 manipulating memory of non-child process 2040
Process injection	Process 2864 manipulating memory of non-child process 2200
Process injection	Process 2864 manipulating memory of non-child process 200
Process injection	Process 2864 manipulating memory of non-child process 1632
Process injection	Process 2864 manipulating memory of non-child process 1244
Process injection	Process 2864 manipulating memory of non-child process 952
Process injection	Process 2864 manipulating memory of non-child process 2576
Process injection	Process 2864 manipulating memory of non-child process 2988
Process injection	Process 2864 manipulating memory of non-child process 3088
Process injection	Process 2864 manipulating memory of non-child process 3152
Process injection	Process 2864 manipulating memory of non-child process 3224
Process injection	Process 2864 manipulating memory of non-child process 3372
Process injection	Process 2864 manipulating memory of non-child process 3432
Process injection	Process 2864 manipulating memory of non-child process 3492
Process injection	Process 2864 manipulating memory of non-child process 3596
Process injection	Process 2864 manipulating memory of non-child process 3672
Process injection	Process 2864 manipulating memory of non-child process 3736
Process injection	Process 2864 manipulating memory of non-child process 3812
Process injection	Process 2864 manipulating memory of non-child process 3896
Process injection	Process 2864 manipulating memory of non-child process 3956
1619269247.495662 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000230 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269248.151662 NtAllocateVirtualMemory	process_identifier: 1760 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000234 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269248.729662 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000244 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269249.338662 NtAllocateVirtualMemory	process_identifier: 2604 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000024c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269249.760662 NtAllocateVirtualMemory	process_identifier: 2252 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000254 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269250.245662 NtAllocateVirtualMemory	process_identifier: 2040 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000025c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269250.713662 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000264 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269251.120662 NtAllocateVirtualMemory	process_identifier: 200 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000026c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269251.588662 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000274 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269252.041662 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000027c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269252.510662 NtAllocateVirtualMemory	process_identifier: 952 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000284 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269252.932662 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000028c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269253.416662 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000294 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269253.885662 NtAllocateVirtualMemory	process_identifier: 3088 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000029c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269254.370662 NtAllocateVirtualMemory	process_identifier: 3152 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269254.838662 NtAllocateVirtualMemory	process_identifier: 3224 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002b8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269255.370662 NtAllocateVirtualMemory	process_identifier: 3372 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002bc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269255.979662 NtAllocateVirtualMemory	process_identifier: 3432 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002c4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269256.354662 NtAllocateVirtualMemory	process_identifier: 3492 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002cc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269256.979662 NtAllocateVirtualMemory	process_identifier: 3596 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269257.479662 NtAllocateVirtualMemory	process_identifier: 3672 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002dc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269258.229662 NtAllocateVirtualMemory	process_identifier: 3736 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002e4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269258.823662 NtAllocateVirtualMemory	process_identifier: 3812 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002ec allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269259.526662 NtAllocateVirtualMemory	process_identifier: 3896 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619269259.963662 NtAllocateVirtualMemory	process_identifier: 3956 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Disables Windows Security features (4 个事件)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring

Executed a process and injected code into it, probably while unpacking (50 out of 272 个事件)

Time & API	Arguments	Status	Return
1619269224.338662 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2864	success	0
1619269224.354662 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 2864	success	0
1619269224.416662 NtResumeThread	thread_handle: 0x0000016c suspend_count: 1 process_identifier: 2864	success	0
1619269230.291662 CreateProcessInternalW	thread_identifier: 3000 thread_handle: 0x00000214 process_identifier: 2760 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: track: 1 command_line: "powershell" Get-MpPreference -verbose filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000220 inherit_handles: 1	success	1
1619269247.495662 CreateProcessInternalW	thread_identifier: 1916 thread_handle: 0x0000022c process_identifier: 1948 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000230 inherit_handles: 0	success	1
1619269247.495662 NtGetContextThread	thread_handle: 0x0000022c	success	0
1619269247.495662 NtAllocateVirtualMemory	process_identifier: 1948 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000230 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269248.151662 CreateProcessInternalW	thread_identifier: 1824 thread_handle: 0x00000238 process_identifier: 1760 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000234 inherit_handles: 0	success	1
1619269248.151662 NtGetContextThread	thread_handle: 0x00000238	success	0
1619269248.151662 NtAllocateVirtualMemory	process_identifier: 1760 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000234 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269248.729662 CreateProcessInternalW	thread_identifier: 1816 thread_handle: 0x00000248 process_identifier: 2448 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000244 inherit_handles: 0	success	1
1619269248.729662 NtGetContextThread	thread_handle: 0x00000248	success	0
1619269248.729662 NtAllocateVirtualMemory	process_identifier: 2448 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000244 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269249.323662 CreateProcessInternalW	thread_identifier: 2964 thread_handle: 0x00000250 process_identifier: 2604 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000024c inherit_handles: 0	success	1
1619269249.323662 NtGetContextThread	thread_handle: 0x00000250	success	0
1619269249.338662 NtAllocateVirtualMemory	process_identifier: 2604 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000024c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269249.760662 CreateProcessInternalW	thread_identifier: 2256 thread_handle: 0x00000258 process_identifier: 2252 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000254 inherit_handles: 0	success	1
1619269249.760662 NtGetContextThread	thread_handle: 0x00000258	success	0
1619269249.760662 NtAllocateVirtualMemory	process_identifier: 2252 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000254 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269250.245662 CreateProcessInternalW	thread_identifier: 1688 thread_handle: 0x00000260 process_identifier: 2040 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000025c inherit_handles: 0	success	1
1619269250.245662 NtGetContextThread	thread_handle: 0x00000260	success	0
1619269250.245662 NtAllocateVirtualMemory	process_identifier: 2040 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000025c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269250.698662 CreateProcessInternalW	thread_identifier: 2560 thread_handle: 0x00000268 process_identifier: 2200 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000264 inherit_handles: 0	success	1
1619269250.713662 NtGetContextThread	thread_handle: 0x00000268	success	0
1619269250.713662 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000264 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269251.120662 CreateProcessInternalW	thread_identifier: 2420 thread_handle: 0x00000270 process_identifier: 200 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000026c inherit_handles: 0	success	1
1619269251.120662 NtGetContextThread	thread_handle: 0x00000270	success	0
1619269251.120662 NtAllocateVirtualMemory	process_identifier: 200 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000026c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269251.588662 CreateProcessInternalW	thread_identifier: 2308 thread_handle: 0x00000278 process_identifier: 1632 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000274 inherit_handles: 0	success	1
1619269251.588662 NtGetContextThread	thread_handle: 0x00000278	success	0
1619269251.588662 NtAllocateVirtualMemory	process_identifier: 1632 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000274 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269252.041662 CreateProcessInternalW	thread_identifier: 1124 thread_handle: 0x00000280 process_identifier: 1244 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000027c inherit_handles: 0	success	1
1619269252.041662 NtGetContextThread	thread_handle: 0x00000280	success	0
1619269252.041662 NtAllocateVirtualMemory	process_identifier: 1244 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000027c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269252.510662 CreateProcessInternalW	thread_identifier: 1868 thread_handle: 0x00000288 process_identifier: 952 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000284 inherit_handles: 0	success	1
1619269252.510662 NtGetContextThread	thread_handle: 0x00000288	success	0
1619269252.510662 NtAllocateVirtualMemory	process_identifier: 952 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000284 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269252.916662 CreateProcessInternalW	thread_identifier: 1712 thread_handle: 0x00000290 process_identifier: 2576 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000028c inherit_handles: 0	success	1
1619269252.932662 NtGetContextThread	thread_handle: 0x00000290	success	0
1619269252.932662 NtAllocateVirtualMemory	process_identifier: 2576 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000028c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269253.416662 CreateProcessInternalW	thread_identifier: 3056 thread_handle: 0x00000298 process_identifier: 2988 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x00000294 inherit_handles: 0	success	1
1619269253.416662 NtGetContextThread	thread_handle: 0x00000298	success	0
1619269253.416662 NtAllocateVirtualMemory	process_identifier: 2988 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000294 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269253.885662 CreateProcessInternalW	thread_identifier: 3092 thread_handle: 0x000002a0 process_identifier: 3088 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x0000029c inherit_handles: 0	success	1
1619269253.885662 NtGetContextThread	thread_handle: 0x000002a0	success	0
1619269253.885662 NtAllocateVirtualMemory	process_identifier: 3088 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000029c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269254.370662 CreateProcessInternalW	thread_identifier: 3156 thread_handle: 0x000002a8 process_identifier: 3152 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x000002a4 inherit_handles: 0	success	1
1619269254.370662 NtGetContextThread	thread_handle: 0x000002a8	success	0
1619269254.370662 NtAllocateVirtualMemory	process_identifier: 3152 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002a4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619269254.838662 CreateProcessInternalW	thread_identifier: 3228 thread_handle: 0x000002b0 process_identifier: 3224 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\21ce722319d2e436a23302c488c8e474.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) process_handle: 0x000002b8 inherit_handles: 0	success	1

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)

DrWeb	Trojan.DownLoader34.24921
MicroWorld-eScan	Trojan.GenericKD.34360159
FireEye	Generic.mg.21ce722319d2e436
CAT-QuickHeal	Trojan.MSIL
McAfee	Trojan-FTAB!21CE722319D2
Cylance	Unsafe
Zillya	Trojan.Scarsi.Win32.6274
Sangfor	Malware
K7AntiVirus	Trojan ( 0056c8461 )
Alibaba	HackTool:Win32/Mimikatz.5b3b7bbf
K7GW	Trojan ( 0056c8461 )
CrowdStrike	win/malicious_confidence_60% (W)
Arcabit	Trojan.Generic.D20C4B5F
Invincea	Mal/Generic-S
BitDefenderTheta	Gen:NN.ZemsilF.34216.@p1@augUC8fi
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Scarsi.gen
BitDefender	Trojan.GenericKD.34360159
NANO-Antivirus	Trojan.Win32.Scarsi.hrykul
Tencent	Msil.Trojan.Scarsi.Hqvu
Ad-Aware	Trojan.GenericKD.34360159
Sophos	Mal/Generic-S
Comodo	.UnclassifiedMalware@0
F-Secure	Trojan.TR/Dropper.Gen
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WHF20
Emsisoft	Trojan.GenericKD.34360159 (B)
Ikarus	Trojan.Inject
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/MSIL.Scarsi
Microsoft	HackTool:Win64/Mimikatz.A
AegisLab	Trojan.MSIL.Scarsi.4!c
ZoneAlarm	HEUR:Trojan.MSIL.Scarsi.gen
GData	Trojan.GenericKD.34360159
Cynet	Malicious (score: 85)
ALYac	Trojan.GenericKD.34360159
MAX	malware (ai score=82)
Malwarebytes	Trojan.Dropper.MSIL
ESET-NOD32	a variant of MSIL/Kryptik.XIQ
TrendMicro-HouseCall	TROJ_GEN.R002C0WHF20
SentinelOne	DFI - Malicious PE
Fortinet	MSIL/Kryptik.XIQ!tr
MaxSecure	Trojan.Malware.73692792.susgen
AVG	Win32:DangerousSig [Trj]
Cybereason	malicious.f8a66a
Panda	Trj/CI.A
Qihoo-360	Generic/Trojan.31e

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2099-11-10 16:07:55

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58370	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.