9.6
极危
该样本未表现出任何异常!
重新分析
更多

24eca73bdfe58a8028304039adf4b102f5185aaa551c033741267342c8f59e7b

23b0ad0daa0c8734d1fba86caa3bb12b.exe

分析耗时

87s

最近分析

文件大小

368.2KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619303256.788125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619303256.882125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619303256.929125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619303256.929125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619303265.616125
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619303265.616125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (3 个事件)
Time & API Arguments Status Return Repeated
1619269232.239907
IsDebuggerPresent
failed 0 0
1619269232.255907
IsDebuggerPresent
failed 0 0
1619303258.070125
IsDebuggerPresent
failed 0 0
Command line console output was observed (8 个事件)
Time & API Arguments Status Return Repeated
1619303268.288125
WriteConsoleW
buffer: 无法将“Add-MpPreference”项识别为 cmdlet、函数、脚本文件或可运行程序的名称。请检查
console_handle: 0x00000023
success 1 0
1619303268.320125
WriteConsoleW
buffer: 名称的拼写,如果包括路径,请确保路径正确,然后重试。
console_handle: 0x0000002f
success 1 0
1619303268.335125
WriteConsoleW
buffer: 所在位置 行:1 字符: 17
console_handle: 0x0000003b
success 1 0
1619303268.351125
WriteConsoleW
buffer: + Add-MpPreference <<<< -ExclusionPath 'C:\Users\Administrator.Oskar-PC\AppDat
console_handle: 0x00000047
success 1 0
1619303268.382125
WriteConsoleW
buffer: a\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
console_handle: 0x00000053
success 1 0
1619303268.413125
WriteConsoleW
buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000005f
success 1 0
1619303268.429125
WriteConsoleW
buffer: mmandNotFoundException
console_handle: 0x0000006b
success 1 0
1619303268.445125
WriteConsoleW
buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000077
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)
Time & API Arguments Status Return Repeated
1619303260.460125
CryptExportKey
crypto_handle: 0x003e7500
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.288125
CryptExportKey
crypto_handle: 0x003e73c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.304125
CryptExportKey
crypto_handle: 0x003e73c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.304125
CryptExportKey
crypto_handle: 0x003e73c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.382125
CryptExportKey
crypto_handle: 0x003e73c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.382125
CryptExportKey
crypto_handle: 0x003e73c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.382125
CryptExportKey
crypto_handle: 0x003e73c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.413125
CryptExportKey
crypto_handle: 0x003e73c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.632125
CryptExportKey
crypto_handle: 0x003e6900
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.632125
CryptExportKey
crypto_handle: 0x003e6900
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.741125
CryptExportKey
crypto_handle: 0x003e6900
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.741125
CryptExportKey
crypto_handle: 0x003e6900
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.757125
CryptExportKey
crypto_handle: 0x003e6900
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303262.757125
CryptExportKey
crypto_handle: 0x003e6900
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303263.163125
CryptExportKey
crypto_handle: 0x003e6e40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303263.163125
CryptExportKey
crypto_handle: 0x003e6e40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303263.179125
CryptExportKey
crypto_handle: 0x003e6e40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303263.195125
CryptExportKey
crypto_handle: 0x003e6e40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303263.195125
CryptExportKey
crypto_handle: 0x003e6e40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303263.195125
CryptExportKey
crypto_handle: 0x003e6e40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303263.210125
CryptExportKey
crypto_handle: 0x003e6e40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e6d40
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.476125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.523125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.523125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.820125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303264.820125
CryptExportKey
crypto_handle: 0x003e7200
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.085125
CryptExportKey
crypto_handle: 0x003e7140
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.085125
CryptExportKey
crypto_handle: 0x003e7140
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.101125
CryptExportKey
crypto_handle: 0x003e7140
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.132125
CryptExportKey
crypto_handle: 0x003e7140
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.132125
CryptExportKey
crypto_handle: 0x003e7140
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.132125
CryptExportKey
crypto_handle: 0x003e7140
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.179125
CryptExportKey
crypto_handle: 0x003e7140
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.366125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.382125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.695125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.695125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.695125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.695125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.710125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.741125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619303265.757125
CryptExportKey
crypto_handle: 0x003e67c0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619269232.333907
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 236 个事件)
Time & API Arguments Status Return Repeated
1619269231.583907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007f0000
success 0 0
1619269231.583907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00990000
success 0 0
1619269231.848907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b60000
success 0 0
1619269231.848907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d20000
success 0 0
1619269231.942907
NtProtectVirtualMemory
process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619269232.239907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00670000
success 0 0
1619269232.239907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00790000
success 0 0
1619269232.270907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045a000
success 0 0
1619269232.270907
NtProtectVirtualMemory
process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619269232.270907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00452000
success 0 0
1619269232.848907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00472000
success 0 0
1619269233.208907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00495000
success 0 0
1619269233.208907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0049b000
success 0 0
1619269233.208907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00497000
success 0 0
1619269233.426907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00473000
success 0 0
1619269233.551907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0047c000
success 0 0
1619269233.708907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00474000
success 0 0
1619269233.739907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00770000
success 0 0
1619269233.895907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00475000
success 0 0
1619269234.817907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00476000
success 0 0
1619269234.880907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00771000
success 0 0
1619269234.973907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00778000
success 0 0
1619269235.223907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00486000
success 0 0
1619269235.223907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0048a000
success 0 0
1619269235.223907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00487000
success 0 0
1619269235.270907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00779000
success 0 0
1619269235.333907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00780000
success 0 0
1619269235.333907
NtProtectVirtualMemory
process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75109000
success 0 0
1619269235.630907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00477000
success 0 0
1619269236.036907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0077a000
success 0 0
1619269236.223907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00479000
success 0 0
1619269236.348907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0077d000
success 0 0
1619269236.458907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x011e0000
success 0 0
1619269236.473907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x011e1000
success 0 0
1619269237.067907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d21000
success 0 0
1619269267.348907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x011e4000
success 0 0
1619269267.755907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01300000
success 0 0
1619269267.801907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01301000
success 0 0
1619269267.817907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01302000
success 0 0
1619269267.864907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x011e5000
success 0 0
1619269267.895907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0047a000
success 0 0
1619269267.895907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0048b000
success 0 0
1619269267.911907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00453000
success 0 0
1619269267.926907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01303000
success 0 0
1619269267.989907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045c000
success 0 0
1619269268.223907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0048c000
success 0 0
1619269268.239907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01304000
success 0 0
1619269268.317907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01305000
success 0 0
1619269268.317907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0486f000
success 0 0
1619269268.317907
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04860000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 23b0ad0daa0c8734d1fba86caa3bb12b.exe tried to sleep 150 seconds, actually delayed analysis time by 150 seconds
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (1 个事件)
cmdline "Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619269269.770907
CreateProcessInternalW
thread_identifier: 1124
thread_handle: 0x000002c4
process_identifier: 1036
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000002d0
inherit_handles: 1
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.385391486634011 section {'size_of_data': '0x00044a00', 'virtual_address': '0x00002000', 'entropy': 7.385391486634011, 'name': '.text', 'virtual_size': '0x00044884'} description A section with a high entropy has been found
entropy 7.303601883464241 section {'size_of_data': '0x00013200', 'virtual_address': '0x00048000', 'entropy': 7.303601883464241, 'name': '.rsrc', 'virtual_size': '0x00013080'} description A section with a high entropy has been found
entropy 0.9985775248933144 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619269235.130907
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619303260.132125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 3c3ed42629a1a395403fc9e1b2365f049ebd7e27
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619269269.083907
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Potential code injection by writing to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619269269.083907
WriteProcessMemory
process_identifier: 1812
buffer: @
process_handle: 0x000002a0
base_address: 0x7efde008
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619303249.10175
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x0040519b
module_address: 0x00000000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 131435 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2292 called NtSetContextThread to modify thread in remote process 1812
Time & API Arguments Status Return Repeated
1619269269.083907
NtSetContextThread
thread_handle: 0x00000298
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4275060
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1812
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2292 resumed a thread in remote process 1812
Time & API Arguments Status Return Repeated
1619269269.536907
NtResumeThread
thread_handle: 0x00000298
suspend_count: 1
process_identifier: 1812
success 0 0
Executed a process and injected code into it, probably while unpacking (20 个事件)
Time & API Arguments Status Return Repeated
1619269232.255907
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2292
success 0 0
1619269232.286907
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2292
success 0 0
1619269232.364907
NtResumeThread
thread_handle: 0x00000174
suspend_count: 1
process_identifier: 2292
success 0 0
1619269269.067907
CreateProcessInternalW
thread_identifier: 196
thread_handle: 0x00000298
process_identifier: 1812
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\23b0ad0daa0c8734d1fba86caa3bb12b.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\23b0ad0daa0c8734d1fba86caa3bb12b.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000002a0
inherit_handles: 0
success 1 0
1619269269.083907
NtGetContextThread
thread_handle: 0x00000298
success 0 0
1619269269.083907
NtAllocateVirtualMemory
process_identifier: 1812
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619269269.083907
WriteProcessMemory
process_identifier: 1812
buffer:
process_handle: 0x000002a0
base_address: 0x00400000
success 1 0
1619269269.083907
WriteProcessMemory
process_identifier: 1812
buffer:
process_handle: 0x000002a0
base_address: 0x00401000
success 1 0
1619269269.083907
WriteProcessMemory
process_identifier: 1812
buffer:
process_handle: 0x000002a0
base_address: 0x00414000
success 1 0
1619269269.083907
WriteProcessMemory
process_identifier: 1812
buffer:
process_handle: 0x000002a0
base_address: 0x0041a000
success 1 0
1619269269.083907
WriteProcessMemory
process_identifier: 1812
buffer:
process_handle: 0x000002a0
base_address: 0x0041c000
success 1 0
1619269269.083907
WriteProcessMemory
process_identifier: 1812
buffer:
process_handle: 0x000002a0
base_address: 0x0041d000
success 1 0
1619269269.083907
WriteProcessMemory
process_identifier: 1812
buffer: @
process_handle: 0x000002a0
base_address: 0x7efde008
success 1 0
1619269269.083907
NtSetContextThread
thread_handle: 0x00000298
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4275060
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1812
success 0 0
1619269269.536907
NtResumeThread
thread_handle: 0x00000298
suspend_count: 1
process_identifier: 1812
success 0 0
1619269269.770907
CreateProcessInternalW
thread_identifier: 1124
thread_handle: 0x000002c4
process_identifier: 1036
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x000002d0
inherit_handles: 1
success 1 0
1619303258.070125
NtResumeThread
thread_handle: 0x0000029c
suspend_count: 1
process_identifier: 1036
success 0 0
1619303258.210125
NtResumeThread
thread_handle: 0x000002f0
suspend_count: 1
process_identifier: 1036
success 0 0
1619303266.960125
NtResumeThread
thread_handle: 0x000003b0
suspend_count: 1
process_identifier: 1036
success 0 0
1619303268.476125
NtResumeThread
thread_handle: 0x00000448
suspend_count: 1
process_identifier: 1036
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-13 09:44:47

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51966 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.