5.8
高危
52 个模型检测该样本为恶意!
重新分析
更多

8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2

64e041d709a1b6d2b8ae678e0ba63c5b.exe

分析耗时

130s

最近分析

文件大小

268.5KB
静态报毒 动态报毒 100% AGEN AI SCORE=91 ALI2000008 AUTO BCHV CLOUD CONFIDENCE FAREIT FORMBOOK GDSDA GENERICKD HIGH CONFIDENCE HOFDHN HWMAR3CA INJECTORX KCLOUD KRYPTIK LFQV MALDOC MALICIOUS PE MALWARE@#3HLKH3WCMQ2O2 NOON QMW@A8 R002C0DLB20 SAVE SCORE SIGGEN2 STATIC AI SUSGEN UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Maldoc.ali2000008 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Baidu 20190318 1.0.0.2
Avast Win32:InjectorX-gen [Trj] 20210325 21.1.5827.0
Tencent Win32.Trojan.Inject.Auto 20210325 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20210325 2017.9.26.565
McAfee Fareit-FVK!64E041D709A1 20210325 6.0.6.653
静态指标
Checks if process is being debugged by a debugger (40 个事件)
Time & API Arguments Status Return Repeated
1619615485.686124
IsDebuggerPresent
failed 0 0
1619615485.686124
IsDebuggerPresent
failed 0 0
1619615495.091751
IsDebuggerPresent
failed 0 0
1619615495.091751
IsDebuggerPresent
failed 0 0
1619615497.107374
IsDebuggerPresent
failed 0 0
1619615497.107374
IsDebuggerPresent
failed 0 0
1619615500.341751
IsDebuggerPresent
failed 0 0
1619615500.341751
IsDebuggerPresent
failed 0 0
1619615502.935499
IsDebuggerPresent
failed 0 0
1619615502.935499
IsDebuggerPresent
failed 0 0
1619615504.028876
IsDebuggerPresent
failed 0 0
1619615504.028876
IsDebuggerPresent
failed 0 0
1619615505.435499
IsDebuggerPresent
failed 0 0
1619615505.435499
IsDebuggerPresent
failed 0 0
1619615506.514249
IsDebuggerPresent
failed 0 0
1619615506.514249
IsDebuggerPresent
failed 0 0
1619615507.622626
IsDebuggerPresent
failed 0 0
1619615507.622626
IsDebuggerPresent
failed 0 0
1619615508.764249
IsDebuggerPresent
failed 0 0
1619615508.764249
IsDebuggerPresent
failed 0 0
1619615510.498249
IsDebuggerPresent
failed 0 0
1619615510.498249
IsDebuggerPresent
failed 0 0
1619615512.888626
IsDebuggerPresent
failed 0 0
1619615512.888626
IsDebuggerPresent
failed 0 0
1619615513.936124
IsDebuggerPresent
failed 0 0
1619615513.936124
IsDebuggerPresent
failed 0 0
1619615515.294501
IsDebuggerPresent
failed 0 0
1619615515.294501
IsDebuggerPresent
failed 0 0
1619615516.404249
IsDebuggerPresent
failed 0 0
1619615516.404249
IsDebuggerPresent
failed 0 0
1619615517.591374
IsDebuggerPresent
failed 0 0
1619615517.591374
IsDebuggerPresent
failed 0 0
1619615518.747374
IsDebuggerPresent
failed 0 0
1619615518.747374
IsDebuggerPresent
failed 0 0
1619615519.622876
IsDebuggerPresent
failed 0 0
1619615519.622876
IsDebuggerPresent
failed 0 0
1619615520.482999
IsDebuggerPresent
failed 0 0
1619615520.482999
IsDebuggerPresent
failed 0 0
1619615521.763626
IsDebuggerPresent
failed 0 0
1619615521.763626
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619615485.717124
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 560 个事件)
Time & API Arguments Status Return Repeated
1619615484.717124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007a0000
success 0 0
1619615484.717124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00940000
success 0 0
1619615485.514124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x005e0000
success 0 0
1619615485.514124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00650000
success 0 0
1619615485.561124
NtProtectVirtualMemory
process_identifier: 1176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619615485.686124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b10000
success 0 0
1619615485.686124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00d00000
success 0 0
1619615485.701124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619615485.701124
NtProtectVirtualMemory
process_identifier: 1176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619615485.701124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d2000
success 0 0
1619615486.076124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e2000
success 0 0
1619615486.154124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00415000
success 0 0
1619615486.170124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041b000
success 0 0
1619615486.170124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00417000
success 0 0
1619615486.389124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e3000
success 0 0
1619615486.451124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ec000
success 0 0
1619615486.498124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619615486.529124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f6000
success 0 0
1619615486.545124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619615486.545124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f7000
success 0 0
1619615486.686124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e4000
success 0 0
1619615487.123124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e5000
success 0 0
1619615487.217124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00581000
success 0 0
1619615487.373124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c20000
success 0 0
1619615488.404124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e6000
success 0 0
1619615488.404124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c70000
success 0 0
1619615489.701124
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00582000
success 0 0
1619615490.279124
NtAllocateVirtualMemory
process_identifier: 196
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02760000
success 0 0
1619615495.060751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00550000
success 0 0
1619615495.060751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00710000
success 0 0
1619615495.091751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008e0000
success 0 0
1619615495.091751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008f0000
success 0 0
1619615495.091751
NtProtectVirtualMemory
process_identifier: 2964
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619615495.091751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00990000
success 0 0
1619615495.091751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b20000
success 0 0
1619615495.091751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0070a000
success 0 0
1619615495.091751
NtProtectVirtualMemory
process_identifier: 2964
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619615495.091751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00702000
success 0 0
1619615495.107751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e2000
success 0 0
1619615495.107751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00945000
success 0 0
1619615495.107751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0094b000
success 0 0
1619615495.107751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00947000
success 0 0
1619615495.122751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e3000
success 0 0
1619615495.122751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008ec000
success 0 0
1619615495.122751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b10000
success 0 0
1619615495.122751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00936000
success 0 0
1619615495.122751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0093a000
success 0 0
1619615495.122751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00937000
success 0 0
1619615495.169751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e4000
success 0 0
1619615495.185751
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008e5000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.444905612616544 section {'size_of_data': '0x00042c00', 'virtual_address': '0x00002000', 'entropy': 7.444905612616544, 'name': '.text', 'virtual_size': '0x00042a64'} description A section with a high entropy has been found
entropy 0.996268656716418 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (20 个事件)
Time & API Arguments Status Return Repeated
1619615489.451124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615496.247751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615497.216374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615501.466751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615503.044499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615504.138876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615505.607499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615506.623249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615507.732626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615508.873249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615510.608249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615512.997626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615514.045124
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615515.403501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615516.514249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615517.716374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615518.872374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615519.732876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615520.685999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615522.169626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (38 个事件)
Time & API Arguments Status Return Repeated
1619615496.310751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
failed 0 0
1619615496.310751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
success 0 0
1619615497.263374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619615497.263374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619615501.513751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615501.513751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615503.091499
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
failed 0 0
1619615503.091499
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000028c
success 0 0
1619615504.200876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615504.200876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615505.653499
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x000002a0
failed 0 0
1619615505.653499
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x000002a0
success 0 0
1619615506.670249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615506.670249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615507.778626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615507.778626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615508.936249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615508.936249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615510.670249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615510.670249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615513.075626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615513.075626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615514.123124
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615514.123124
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615515.482501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615515.482501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615516.592249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615516.592249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615517.794374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
failed 0 0
1619615517.794374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
success 0 0
1619615518.966374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615518.966374
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615519.825876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
failed 0 0
1619615519.825876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000288
success 0 0
1619615520.794999
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
failed 0 0
1619615520.794999
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000294
success 0 0
1619615522.247626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x000002a0
failed 0 0
1619615522.247626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x000002a0
success 0 0
网络通信
Manipulates memory of a non-child process indicative of process injection (21 个事件)
Process injection Process 2964 manipulating memory of non-child process 2732
Process injection Process 3480 manipulating memory of non-child process 3544
Process injection Process 3480 manipulating memory of non-child process 3580
Process injection Process 3280 manipulating memory of non-child process 2188
Process injection Process 3672 manipulating memory of non-child process 4072
Process injection Process 3792 manipulating memory of non-child process 4036
Process injection Process 3792 manipulating memory of non-child process 3832
Time & API Arguments Status Return Repeated
1619615496.232751
NtAllocateVirtualMemory
process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615496.232751
NtAllocateVirtualMemory
process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619615505.544499
NtAllocateVirtualMemory
process_identifier: 3544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615505.544499
NtAllocateVirtualMemory
process_identifier: 3544
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619615505.591499
NtAllocateVirtualMemory
process_identifier: 3580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000254
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615505.591499
NtAllocateVirtualMemory
process_identifier: 3580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000254
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619615517.700374
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615517.700374
NtAllocateVirtualMemory
process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619615520.653999
NtAllocateVirtualMemory
process_identifier: 4072
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615520.669999
NtAllocateVirtualMemory
process_identifier: 4072
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619615521.872626
NtAllocateVirtualMemory
process_identifier: 4036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615521.872626
NtAllocateVirtualMemory
process_identifier: 4036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000240
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619615522.060626
NtAllocateVirtualMemory
process_identifier: 3832
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000254
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615522.060626
NtAllocateVirtualMemory
process_identifier: 3832
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000254
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\s.exe:Zone.Identifier
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34199256
ALYac Trojan.Agent.FormBook
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.2275270
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056081c1 )
Alibaba Trojan:Win32/Maldoc.ali2000008
K7GW Trojan ( 0056081c1 )
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Trojan.LFQV-9268
ESET-NOD32 a variant of MSIL/Kryptik.WOX
APEX Malicious
Avast Win32:InjectorX-gen [Trj]
Kaspersky HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender Trojan.GenericKD.34199256
NANO-Antivirus Trojan.Win32.Noon.hofdhn
Paloalto generic.ml
ViRobot Trojan.Win32.S.Agent.274944.FB
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKD.34199256
Sophos Mal/Generic-S
Comodo Malware@#3hlkh3wcmq2o2
DrWeb Trojan.PWS.Siggen2.52273
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DLB20
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
FireEye Generic.mg.64e041d709a1b6d2
Emsisoft Trojan.GenericKD.34199256 (B)
SentinelOne Static AI - Malicious PE
Jiangmin TrojanSpy.MSIL.bchv
Avira HEUR/AGEN.1116674
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:MSIL/Formbook.VN!MTB
AegisLab Trojan.Multi.Generic.4!c
GData Trojan.GenericKD.34199256
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_Generic.C4164677
Acronis suspicious
McAfee Fareit-FVK!64E041D709A1
MAX malware (ai score=91)
Malwarebytes Trojan.MalPack.XOR
TrendMicro-HouseCall TROJ_GEN.R002C0DLB20
Rising Spyware.Noon!8.E7C9 (CLOUD)
Ikarus Trojan.Inject
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Kryptik.WOU!tr
BitDefenderTheta Gen:NN.ZemsilF.34628.qmW@a8!LX!j
AVG Win32:InjectorX-gen [Trj]
Cybereason malicious.709a1b
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 142.250.204.142:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-20 16:02:45

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 57875 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62194 239.255.255.250 1900
192.168.56.101 65005 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.