6.8
高危
48 个模型检测该样本为恶意!
重新分析
更多

6e3a137a621b11e16fb46aa747fae37564a0cd03e57873193fa5f772a5822628

64eadca89163fb85798474ad7e977ae7.exe

分析耗时

198s

最近分析

文件大小

362.5KB
静态报毒 动态报毒 AEPY AGENSLA AGENTTESLA AI SCORE=80 CONFIDENCE GDSDA GENERICKD HIGH CONFIDENCE KRYPTIK MALICIOUS PE NANOCORE ONWG PACKEDNET QQPASS QQROB SCORE THFOHBO TROJANPSW UNSAFE WACATAC WMW@A0CXCEM WQNI ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Nanocore-GBB!64EADCA89163 20200706 6.0.6.653
Alibaba TrojanPSW:MSIL/AgentTesla.4d212a96 20190527 0.3.0.5
Tencent Msil.Trojan-qqpass.Qqrob.Wqni 20200706 1.0.0.1
Kingsoft 20200706 2013.8.14.323
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (50 out of 218 个事件)
Time & API Arguments Status Return Repeated
1619638409.615126
IsDebuggerPresent
failed 0 0
1619638409.615126
IsDebuggerPresent
failed 0 0
1619638424.615751
IsDebuggerPresent
failed 0 0
1619638424.615751
IsDebuggerPresent
failed 0 0
1619638437.302626
IsDebuggerPresent
failed 0 0
1619638437.302626
IsDebuggerPresent
failed 0 0
1619638437.615374
IsDebuggerPresent
failed 0 0
1619638437.615374
IsDebuggerPresent
failed 0 0
1619638438.130751
IsDebuggerPresent
failed 0 0
1619638438.130751
IsDebuggerPresent
failed 0 0
1619638438.396626
IsDebuggerPresent
failed 0 0
1619638438.396626
IsDebuggerPresent
failed 0 0
1619638438.927501
IsDebuggerPresent
failed 0 0
1619638438.927501
IsDebuggerPresent
failed 0 0
1619638439.302499
IsDebuggerPresent
failed 0 0
1619638439.302499
IsDebuggerPresent
failed 0 0
1619638439.958626
IsDebuggerPresent
failed 0 0
1619638439.958626
IsDebuggerPresent
failed 0 0
1619638440.177126
IsDebuggerPresent
failed 0 0
1619638440.177126
IsDebuggerPresent
failed 0 0
1619638440.990751
IsDebuggerPresent
failed 0 0
1619638440.990751
IsDebuggerPresent
failed 0 0
1619638446.880626
IsDebuggerPresent
failed 0 0
1619638446.880626
IsDebuggerPresent
failed 0 0
1619638447.443249
IsDebuggerPresent
failed 0 0
1619638447.443249
IsDebuggerPresent
failed 0 0
1619638450.115374
IsDebuggerPresent
failed 0 0
1619638450.115374
IsDebuggerPresent
failed 0 0
1619638452.802249
IsDebuggerPresent
failed 0 0
1619638452.802249
IsDebuggerPresent
failed 0 0
1619638454.318876
IsDebuggerPresent
failed 0 0
1619638454.318876
IsDebuggerPresent
failed 0 0
1619638454.958876
IsDebuggerPresent
failed 0 0
1619638454.958876
IsDebuggerPresent
failed 0 0
1619638455.490001
IsDebuggerPresent
failed 0 0
1619638455.490001
IsDebuggerPresent
failed 0 0
1619638456.693626
IsDebuggerPresent
failed 0 0
1619638456.693626
IsDebuggerPresent
failed 0 0
1619638458.771626
IsDebuggerPresent
failed 0 0
1619638458.771626
IsDebuggerPresent
failed 0 0
1619638461.208876
IsDebuggerPresent
failed 0 0
1619638461.208876
IsDebuggerPresent
failed 0 0
1619638462.476563
IsDebuggerPresent
failed 0 0
1619638462.476563
IsDebuggerPresent
failed 0 0
1619638463.088564
IsDebuggerPresent
failed 0 0
1619638463.088564
IsDebuggerPresent
failed 0 0
1619638463.317751
IsDebuggerPresent
failed 0 0
1619638463.317751
IsDebuggerPresent
failed 0 0
1619638464.276876
IsDebuggerPresent
failed 0 0
1619638464.276876
IsDebuggerPresent
failed 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619638409.677126
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 3318 个事件)
Time & API Arguments Status Return Repeated
1619638404.302126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00590000
success 0 0
1619638404.302126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00600000
success 0 0
1619638408.693126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b20000
success 0 0
1619638408.693126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c20000
success 0 0
1619638409.240126
NtProtectVirtualMemory
process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619638409.615126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c60000
success 0 0
1619638409.615126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00dd0000
success 0 0
1619638409.615126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041a000
success 0 0
1619638409.630126
NtProtectVirtualMemory
process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619638409.630126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00412000
success 0 0
1619638410.615126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00432000
success 0 0
1619638411.021126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00455000
success 0 0
1619638411.037126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045b000
success 0 0
1619638411.037126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00457000
success 0 0
1619638411.537126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00433000
success 0 0
1619638411.646126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0043c000
success 0 0
1619638412.099126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00660000
success 0 0
1619638412.177126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00446000
success 0 0
1619638412.287126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044a000
success 0 0
1619638412.287126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00447000
success 0 0
1619638412.615126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00434000
success 0 0
1619638413.380126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00435000
success 0 0
1619638413.490126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00661000
success 0 0
1619638413.990126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00a70000
success 0 0
1619638423.927126
NtAllocateVirtualMemory
process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00662000
success 0 0
1619638424.583751
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74521000
success 0 0
1619638424.583751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x006c0000
success 0 0
1619638424.583751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00770000
success 0 0
1619638424.599751
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619638424.615751
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ad1000
success 0 0
1619638424.615751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008c0000
success 0 0
1619638424.615751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009d0000
success 0 0
1619638424.615751
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619638424.615751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007b0000
success 0 0
1619638424.615751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00870000
success 0 0
1619638424.615751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0070a000
success 0 0
1619638424.615751
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619638424.615751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00702000
success 0 0
1619638424.630751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00712000
success 0 0
1619638424.630751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00735000
success 0 0
1619638424.630751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0073b000
success 0 0
1619638424.630751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00737000
success 0 0
1619638424.630751
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74511000
success 0 0
1619638424.630751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00713000
success 0 0
1619638424.630751
NtProtectVirtualMemory
process_identifier: 1376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75061000
success 0 0
1619638424.646751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00714000
success 0 0
1619638424.646751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0071c000
success 0 0
1619638424.662751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a00000
success 0 0
1619638428.927751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a30000
success 0 0
1619638428.927751
NtAllocateVirtualMemory
process_identifier: 1376
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a31000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.1343671373564375 section {'size_of_data': '0x0005a400', 'virtual_address': '0x00002000', 'entropy': 7.1343671373564375, 'name': '.text', 'virtual_size': '0x0005a2c4'} description A section with a high entropy has been found
entropy 0.9972375690607734 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (50 out of 108 个事件)
Time & API Arguments Status Return Repeated
1619638423.412126
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638438.724751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638437.458626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638438.724374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638438.224751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638438.724626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638439.146501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638439.568499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638440.037626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638440.412126
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638446.724751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638450.052626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638449.943249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638450.208374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638453.755249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638454.490876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638455.349876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638456.349001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638458.599626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638459.115626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638462.193876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638462.710563
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638463.166564
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638464.192751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638464.448876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638466.044813
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638465.933751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638466.287938
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638466.860687
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638467.139063
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638467.69025
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638467.965249
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638468.648188
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638468.957564
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638469.594687
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638469.855876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638470.506813
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638470.750812
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638471.505876
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638471.747688
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638472.409284
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638472.624252
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638473.275535
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638473.506505
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638474.903884
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638475.115199
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638475.750137
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638475.964982
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638477.219736
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619638477.483049
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (50 out of 106 个事件)
Time & API Arguments Status Return Repeated
1619638437.490626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638437.490626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638438.271751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
failed 0 0
1619638438.271751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
success 0 0
1619638439.224501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000274
failed 0 0
1619638439.224501
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000274
success 0 0
1619638440.099626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638440.099626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638446.802751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
failed 0 0
1619638446.802751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
success 0 0
1619638450.021249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638450.021249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638453.818249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638453.818249
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638455.427876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638455.427876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638458.974626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638458.974626
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638462.255876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
failed 0 0
1619638462.255876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
success 0 0
1619638463.229564
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
failed 0 0
1619638463.229564
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
success 0 0
1619638464.526876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638464.526876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638465.996751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638465.996751
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638466.938687
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638466.938687
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638467.76825
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638467.76825
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638468.742188
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638468.742188
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638469.688687
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638469.688687
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638470.600813
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638470.600813
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638471.598876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
failed 0 0
1619638471.598876
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000270
success 0 0
1619638472.487284
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638472.487284
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638473.368535
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638473.368535
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638475.028884
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
failed 0 0
1619638475.028884
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000278
success 0 0
1619638475.875137
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638475.875137
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638477.360736
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638477.360736
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
1619638478.381614
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
failed 0 0
1619638478.381614
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000026c
success 0 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 104.123.204.134
host 113.108.239.196
host 172.217.24.14
Manipulates memory of a non-child process indicative of process injection (27 个事件)
Process injection Process 2436 manipulating memory of non-child process 1832
Process injection Process 3228 manipulating memory of non-child process 3288
Process injection Process 4092 manipulating memory of non-child process 3248
Process injection Process 4336 manipulating memory of non-child process 4396
Process injection Process 4688 manipulating memory of non-child process 4636
Process injection Process 2812 manipulating memory of non-child process 5852
Process injection Process 6204 manipulating memory of non-child process 6276
Process injection Process 6824 manipulating memory of non-child process 6884
Process injection Process 6896 manipulating memory of non-child process 7096
Time & API Arguments Status Return Repeated
1619638438.208751
NtAllocateVirtualMemory
process_identifier: 1832
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638438.208751
NtAllocateVirtualMemory
process_identifier: 1832
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619638443.583751
NtAllocateVirtualMemory
process_identifier: 3288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638443.583751
NtAllocateVirtualMemory
process_identifier: 3288
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619638462.162876
NtAllocateVirtualMemory
process_identifier: 3248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638462.162876
NtAllocateVirtualMemory
process_identifier: 3248
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619638474.513884
NtAllocateVirtualMemory
process_identifier: 4396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638474.513884
NtAllocateVirtualMemory
process_identifier: 4396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619638488.791924
NtAllocateVirtualMemory
process_identifier: 4636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638488.806924
NtAllocateVirtualMemory
process_identifier: 4636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619638513.957472
NtAllocateVirtualMemory
process_identifier: 5852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638513.957472
NtAllocateVirtualMemory
process_identifier: 5852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619638516.150127
NtAllocateVirtualMemory
process_identifier: 6276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638516.166127
NtAllocateVirtualMemory
process_identifier: 6276
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619638524.475597
NtAllocateVirtualMemory
process_identifier: 6884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638524.491597
NtAllocateVirtualMemory
process_identifier: 6884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
1619638540.928597
NtAllocateVirtualMemory
process_identifier: 7096
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619638540.944597
NtAllocateVirtualMemory
process_identifier: 7096
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000b0000
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\WETZRYXTC.exe:Zone.Identifier
File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)
MicroWorld-eScan Trojan.GenericKD.43309526
FireEye Generic.mg.64eadca89163fb85
McAfee Nanocore-GBB!64EADCA89163
Zillya Trojan.Kryptik.Win32.2042872
Sangfor Malware
K7AntiVirus Trojan ( 0056081c1 )
Alibaba TrojanPSW:MSIL/AgentTesla.4d212a96
K7GW Trojan ( 0056081c1 )
Cybereason malicious.a87c5f
Invincea heuristic
BitDefenderTheta Gen:NN.ZemsilF.34130.wmW@a0CxCem
Cyren W32/Trojan.ONWG-7341
Symantec Trojan.Gen.MBT
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.43309526
ViRobot Trojan.Win32.Z.Agent.371200.MR
Tencent Msil.Trojan-qqpass.Qqrob.Wqni
Ad-Aware Trojan.GenericKD.43309526
Emsisoft Trojan.GenericKD.43309526 (B)
F-Secure Trojan.TR/Crypt.XDR.Gen
DrWeb Trojan.PackedNET.332
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.MSIL.WACATAC.THFOHBO
Trapmine suspicious.low.ml.score
Sophos Mal/Generic-S
Jiangmin Trojan.PSW.MSIL.aepy
eGambit Unsafe.AI_Score_98%
Avira TR/Crypt.XDR.Gen
MAX malware (ai score=80)
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Endgame malicious (high confidence)
Microsoft Trojan:MSIL/AgentTesla.BB!MTB
AegisLab Trojan.Win32.Malicious.4!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.43309526
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_Generic.C4126582
Acronis suspicious
ALYac Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.WOX
TrendMicro-HouseCall Trojan.MSIL.WACATAC.THFOHBO
SentinelOne DFI - Malicious PE
Fortinet MSIL/Kryptik.WEZ!tr
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 Generic/Trojan.PSW.374
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-08 21:51:06

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
104.123.204.134 443 192.168.56.101 49177

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.