6.4
高危
该样本未表现出任何异常!
重新分析
更多

c17b7612a5cd7b21ca202a966406d24d7d42047f13ba6254c5ea284d7d4fc764

43ab1e4d8499507ba762ed516b3c46f5.exe

分析耗时

129s

最近分析

文件大小

333.0KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Checks if process is being debugged by a debugger (50 out of 52 个事件)
Time & API Arguments Status Return Repeated
1619384541.09425
IsDebuggerPresent
failed 0 0
1619384541.09425
IsDebuggerPresent
failed 0 0
1619411445.843249
IsDebuggerPresent
failed 0 0
1619411445.843249
IsDebuggerPresent
failed 0 0
1619411448.828626
IsDebuggerPresent
failed 0 0
1619411448.828626
IsDebuggerPresent
failed 0 0
1619411451.031249
IsDebuggerPresent
failed 0 0
1619411451.031249
IsDebuggerPresent
failed 0 0
1619411451.609374
IsDebuggerPresent
failed 0 0
1619411451.609374
IsDebuggerPresent
failed 0 0
1619411453.828751
IsDebuggerPresent
failed 0 0
1619411453.843751
IsDebuggerPresent
failed 0 0
1619411454.406249
IsDebuggerPresent
failed 0 0
1619411454.406249
IsDebuggerPresent
failed 0 0
1619411456.625626
IsDebuggerPresent
failed 0 0
1619411456.640626
IsDebuggerPresent
failed 0 0
1619411457.297001
IsDebuggerPresent
failed 0 0
1619411457.297001
IsDebuggerPresent
failed 0 0
1619411459.547499
IsDebuggerPresent
failed 0 0
1619411459.547499
IsDebuggerPresent
failed 0 0
1619411460.218501
IsDebuggerPresent
failed 0 0
1619411460.218501
IsDebuggerPresent
failed 0 0
1619411462.562499
IsDebuggerPresent
failed 0 0
1619411462.562499
IsDebuggerPresent
failed 0 0
1619411463.203249
IsDebuggerPresent
failed 0 0
1619411463.203249
IsDebuggerPresent
failed 0 0
1619411465.687124
IsDebuggerPresent
failed 0 0
1619411465.687124
IsDebuggerPresent
failed 0 0
1619411466.562249
IsDebuggerPresent
failed 0 0
1619411466.562249
IsDebuggerPresent
failed 0 0
1619411469.875001
IsDebuggerPresent
failed 0 0
1619411469.875001
IsDebuggerPresent
failed 0 0
1619411471.984501
IsDebuggerPresent
failed 0 0
1619411471.984501
IsDebuggerPresent
failed 0 0
1619411474.234751
IsDebuggerPresent
failed 0 0
1619411474.250751
IsDebuggerPresent
failed 0 0
1619411474.890001
IsDebuggerPresent
failed 0 0
1619411474.890001
IsDebuggerPresent
failed 0 0
1619411477.156876
IsDebuggerPresent
failed 0 0
1619411477.156876
IsDebuggerPresent
failed 0 0
1619411478.672374
IsDebuggerPresent
failed 0 0
1619411478.672374
IsDebuggerPresent
failed 0 0
1619411481.358876
IsDebuggerPresent
failed 0 0
1619411481.358876
IsDebuggerPresent
failed 0 0
1619411482.151688
IsDebuggerPresent
failed 0 0
1619411482.151688
IsDebuggerPresent
failed 0 0
1619411485.145687
IsDebuggerPresent
failed 0 0
1619411485.145687
IsDebuggerPresent
failed 0 0
1619411485.916938
IsDebuggerPresent
failed 0 0
1619411485.916938
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619384541.09425
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 792 个事件)
Time & API Arguments Status Return Repeated
1619384540.43725
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00320000
success 0 0
1619384540.43725
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00320000
success 0 0
1619384540.95325
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c00000
success 0 0
1619384540.95325
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dc0000
success 0 0
1619384541.00025
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619384541.09425
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c00000
success 0 0
1619384541.09425
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d80000
success 0 0
1619384541.09425
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ca000
success 0 0
1619384541.09425
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619384541.09425
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003c2000
success 0 0
1619384541.26625
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d2000
success 0 0
1619384541.29725
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00405000
success 0 0
1619384541.31225
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040b000
success 0 0
1619384541.31225
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1619384541.50025
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d3000
success 0 0
1619384541.51625
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003dc000
success 0 0
1619384541.54725
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00560000
success 0 0
1619384541.56225
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f6000
success 0 0
1619384541.56225
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619384541.56225
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f7000
success 0 0
1619384541.59425
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d4000
success 0 0
1619384542.82825
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d5000
success 0 0
1619384542.93725
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00561000
success 0 0
1619384546.26625
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c00000
success 0 0
1619384547.59425
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00562000
success 0 0
1619411445.812249
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74521000
success 0 0
1619411445.812249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007d0000
success 0 0
1619411445.812249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00920000
success 0 0
1619411445.843249
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619411445.843249
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ad1000
success 0 0
1619411445.843249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 262144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00450000
success 0 0
1619411445.843249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00450000
success 0 0
1619411445.843249
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619411445.843249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00960000
success 0 0
1619411445.843249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ab0000
success 0 0
1619411445.843249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0061a000
success 0 0
1619411445.843249
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619411445.843249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00612000
success 0 0
1619411445.859249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00622000
success 0 0
1619411445.859249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00645000
success 0 0
1619411445.859249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0064b000
success 0 0
1619411445.859249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00647000
success 0 0
1619411445.859249
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74511000
success 0 0
1619411445.859249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00623000
success 0 0
1619411445.859249
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75061000
success 0 0
1619411445.859249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00624000
success 0 0
1619411445.875249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0062c000
success 0 0
1619411445.875249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b60000
success 0 0
1619411445.875249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 53248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b61000
success 0 0
1619411445.906249
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00627000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description RegAsm.exe tried to sleep 143 seconds, actually delayed analysis time by 143 seconds
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.094814915257107 section {'size_of_data': '0x00052e00', 'virtual_address': '0x00002000', 'entropy': 7.094814915257107, 'name': '.text', 'virtual_size': '0x00052ca4'} description A section with a high entropy has been found
entropy 0.9969924812030075 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (26 个事件)
Time & API Arguments Status Return Repeated
1619384547.32825
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411459.390249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411450.875626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411462.140249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411453.687374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411464.968751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411456.484249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411467.750626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411459.406001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411470.672499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411462.406501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411473.672499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411465.562249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411477.187124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411469.718249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411481.250001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411474.062501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411485.843751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411477.015001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411488.968876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411481.047374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411492.593876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411484.714688
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411496.332687
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411488.119938
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619411499.640626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (24 个事件)
Time & API Arguments Status Return Repeated
1619411450.922626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619411450.922626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619411453.734374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000027c
failed 0 0
1619411453.734374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000027c
success 0 0
1619411456.531249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
failed 0 0
1619411456.531249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
success 0 0
1619411459.468001
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619411459.468001
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619411462.468501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619411462.468501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619411465.609249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
failed 0 0
1619411465.609249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
success 0 0
1619411469.781249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000284
failed 0 0
1619411469.781249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000284
success 0 0
1619411474.125501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
failed 0 0
1619411474.125501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
success 0 0
1619411477.078001
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
failed 0 0
1619411477.078001
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
success 0 0
1619411481.297374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000290
failed 0 0
1619411481.297374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000290
success 0 0
1619411484.792688
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000290
failed 0 0
1619411484.792688
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000290
success 0 0
1619411488.197938
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000027c
failed 0 0
1619411488.197938
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000027c
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Manipulates memory of a non-child process indicative of process injection (48 个事件)
Process injection Process 2196 manipulating memory of non-child process 1880
Process injection Process 2196 manipulating memory of non-child process 2040
Process injection Process 2196 manipulating memory of non-child process 1760
Process injection Process 2404 manipulating memory of non-child process 1688
Process injection Process 3320 manipulating memory of non-child process 3524
Process injection Process 3320 manipulating memory of non-child process 3560
Process injection Process 3908 manipulating memory of non-child process 3992
Process injection Process 3908 manipulating memory of non-child process 4028
Process injection Process 3508 manipulating memory of non-child process 3152
Process injection Process 3216 manipulating memory of non-child process 4008
Process injection Process 3216 manipulating memory of non-child process 4080
Process injection Process 3216 manipulating memory of non-child process 3372
Process injection Process 4032 manipulating memory of non-child process 2104
Process injection Process 4032 manipulating memory of non-child process 3816
Process injection Process 4032 manipulating memory of non-child process 428
Process injection Process 2956 manipulating memory of non-child process 3116
Time & API Arguments Status Return Repeated
1619384546.82825
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619384546.82825
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619384546.84425
NtAllocateVirtualMemory
process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000230
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619384546.84425
NtAllocateVirtualMemory
process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000230
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619384546.85925
NtAllocateVirtualMemory
process_identifier: 1760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000e0000
success 0 0
1619384546.85925
NtAllocateVirtualMemory
process_identifier: 1760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000f0000
success 0 0
1619411453.672374
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411453.672374
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411462.375501
NtAllocateVirtualMemory
process_identifier: 3524
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411462.375501
NtAllocateVirtualMemory
process_identifier: 3524
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411462.390501
NtAllocateVirtualMemory
process_identifier: 3560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411462.390501
NtAllocateVirtualMemory
process_identifier: 3560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411468.640249
NtAllocateVirtualMemory
process_identifier: 3992
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411468.640249
NtAllocateVirtualMemory
process_identifier: 3992
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411468.656249
NtAllocateVirtualMemory
process_identifier: 4028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411468.656249
NtAllocateVirtualMemory
process_identifier: 4028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411477.000001
NtAllocateVirtualMemory
process_identifier: 3152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411477.000001
NtAllocateVirtualMemory
process_identifier: 3152
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411480.922374
NtAllocateVirtualMemory
process_identifier: 4008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411480.922374
NtAllocateVirtualMemory
process_identifier: 4008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411480.937374
NtAllocateVirtualMemory
process_identifier: 4080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411480.937374
NtAllocateVirtualMemory
process_identifier: 4080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411480.953374
NtAllocateVirtualMemory
process_identifier: 3372
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411480.953374
NtAllocateVirtualMemory
process_identifier: 3372
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411484.557688
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411484.557688
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411484.573688
NtAllocateVirtualMemory
process_identifier: 3816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411484.573688
NtAllocateVirtualMemory
process_identifier: 3816
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411484.682688
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411484.682688
NtAllocateVirtualMemory
process_identifier: 428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411488.088938
NtAllocateVirtualMemory
process_identifier: 3116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411488.088938
NtAllocateVirtualMemory
process_identifier: 3116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 178 个事件)
Time & API Arguments Status Return Repeated
1619384541.09425
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2196
success 0 0
1619384541.09425
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2196
success 0 0
1619384541.09425
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2196
success 0 0
1619384541.59425
NtResumeThread
thread_handle: 0x000001cc
suspend_count: 1
process_identifier: 2196
success 0 0
1619384546.82825
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619384546.82825
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619384546.84425
NtAllocateVirtualMemory
process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000230
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619384546.84425
NtAllocateVirtualMemory
process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000230
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619384546.85925
NtAllocateVirtualMemory
process_identifier: 1760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000e0000
success 0 0
1619384546.85925
NtAllocateVirtualMemory
process_identifier: 1760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000244
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000f0000
success 0 0
1619384546.89125
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000250
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619384546.89125
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000250
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619384547.54725
NtGetContextThread
thread_handle: 0x00000128
success 0 0
1619384547.54725
NtGetContextThread
thread_handle: 0x00000128
success 0 0
1619384547.54725
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2196
success 0 0
1619384547.65625
NtResumeThread
thread_handle: 0x00000284
suspend_count: 1
process_identifier: 2196
success 0 0
1619384550.57825
CreateProcessInternalW
thread_identifier: 428
thread_handle: 0x000003e0
process_identifier: 2340
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000428
inherit_handles: 0
success 1 0
1619411445.843249
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 708
success 0 0
1619411445.843249
NtResumeThread
thread_handle: 0x000001b4
suspend_count: 1
process_identifier: 708
success 0 0
1619411445.859249
NtResumeThread
thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 708
success 0 0
1619411448.828626
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2340
success 0 0
1619411448.828626
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2340
success 0 0
1619411448.828626
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2340
success 0 0
1619411448.843626
NtResumeThread
thread_handle: 0x000001cc
suspend_count: 1
process_identifier: 2340
success 0 0
1619411450.875626
NtAllocateVirtualMemory
process_identifier: 2604
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411450.875626
NtAllocateVirtualMemory
process_identifier: 2604
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411450.968626
NtResumeThread
thread_handle: 0x00000280
suspend_count: 1
process_identifier: 2340
success 0 0
1619411451.468626
CreateProcessInternalW
thread_identifier: 1804
thread_handle: 0x000003dc
process_identifier: 2404
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000424
inherit_handles: 0
success 1 0
1619411451.031249
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2604
success 0 0
1619411451.031249
NtResumeThread
thread_handle: 0x000001b4
suspend_count: 1
process_identifier: 2604
success 0 0
1619411451.047249
NtResumeThread
thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2604
success 0 0
1619411451.609374
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2404
success 0 0
1619411451.609374
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 2404
success 0 0
1619411451.609374
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2404
success 0 0
1619411451.640374
NtResumeThread
thread_handle: 0x000001cc
suspend_count: 1
process_identifier: 2404
success 0 0
1619411453.672374
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411453.672374
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411453.687374
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411453.687374
NtAllocateVirtualMemory
process_identifier: 1476
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000238
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619411453.781374
NtResumeThread
thread_handle: 0x00000290
suspend_count: 1
process_identifier: 2404
success 0 0
1619411454.265374
CreateProcessInternalW
thread_identifier: 196
thread_handle: 0x000003ec
process_identifier: 2064
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\43ab1e4d8499507ba762ed516b3c46f5.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000434
inherit_handles: 0
success 1 0
1619411453.828751
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 1476
success 0 0
1619411453.843751
NtResumeThread
thread_handle: 0x000001b8
suspend_count: 1
process_identifier: 1476
success 0 0
1619411453.859751
NtResumeThread
thread_handle: 0x00000200
suspend_count: 1
process_identifier: 1476
success 0 0
1619411454.406249
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2064
success 0 0
1619411454.406249
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2064
success 0 0
1619411454.406249
NtResumeThread
thread_handle: 0x00000170
suspend_count: 1
process_identifier: 2064
success 0 0
1619411454.422249
NtResumeThread
thread_handle: 0x000001cc
suspend_count: 1
process_identifier: 2064
success 0 0
1619411456.484249
NtAllocateVirtualMemory
process_identifier: 3088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619411456.484249
NtAllocateVirtualMemory
process_identifier: 3088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-07 20:23:01

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.