8.4
高危
51 个模型检测该样本为恶意!
重新分析
更多

096d66e5982a15e1c1a9c795bae8a0b360ac5b95c44df978f00eb1645f8f1015

6791daf81304df6707b24d58f01fed78.exe

分析耗时

186s

最近分析

文件大小

446.5KB
静态报毒 动态报毒 100% AGEN AI SCORE=86 ALI2000008 ATTRIBUTE AUTO AVEMARIA BMW@AOZDT@O CONFIDENCE CONVAGENT CSHARP ELDORADO EQSQH GENERICKD GENERICRXKD HAWKEY HIFZWD HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK QVM03 R + TROJ R06EC0DI220 RNDCRYPT SCORE SIGGEN9 STATIC AI SUSPICIOUS PE TROJANX TSCOPE UNSAFE WACATAC ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXKD-BT!6791DAF81304 20201228 6.0.6.653
Avast Win32:TrojanX-gen [Trj] 20201228 21.1.5827.0
Alibaba Trojan:Win32/csharp.ali2000008 20190527 0.3.0.5
Tencent Win32.Trojan.Inject.Auto 20201228 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20201228 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (50 out of 62 个事件)
Time & API Arguments Status Return Repeated
1619615931.9355
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615931.9355
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615933.575625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615933.575625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615934.40375
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615934.40375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615935.1695
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615935.1695
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615936.23225
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615936.23225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615937.106625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615937.106625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615938.091375
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615938.091375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615941.106375
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615941.106375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615986.354894
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615986.354894
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615983.092498
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615983.092498
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619615999.440685
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619615999.440685
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616000.281115
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616000.281115
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616001.758136
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616001.758136
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616004.994319
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616004.994319
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616012.870609
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616012.870609
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616014.689766
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616014.689766
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616015.598588
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616015.598588
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616016.707017
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616016.707017
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616018.20644
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616018.20644
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616019.268548
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616019.268548
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616020.946872
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616020.946872
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616021.987596
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616021.987596
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616023.037253
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616023.037253
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616030.567901
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616030.567901
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619616032.002002
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619616032.002002
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 186 个事件)
Time & API Arguments Status Return Repeated
1619615928.342
IsDebuggerPresent
failed 0 0
1619615928.342
IsDebuggerPresent
failed 0 0
1619615931.1535
IsDebuggerPresent
failed 0 0
1619615931.1535
IsDebuggerPresent
failed 0 0
1619615931.9195
IsDebuggerPresent
failed 0 0
1619615931.9195
IsDebuggerPresent
failed 0 0
1619615933.341875
IsDebuggerPresent
failed 0 0
1619615933.341875
IsDebuggerPresent
failed 0 0
1619615933.544625
IsDebuggerPresent
failed 0 0
1619615933.544625
IsDebuggerPresent
failed 0 0
1619615933.575625
IsDebuggerPresent
failed 0 0
1619615933.575625
IsDebuggerPresent
failed 0 0
1619615934.1385
IsDebuggerPresent
failed 0 0
1619615934.1385
IsDebuggerPresent
failed 0 0
1619615934.37275
IsDebuggerPresent
failed 0 0
1619615934.37275
IsDebuggerPresent
failed 0 0
1619615934.40375
IsDebuggerPresent
failed 0 0
1619615934.40375
IsDebuggerPresent
failed 0 0
1619615934.889125
IsDebuggerPresent
failed 0 0
1619615934.889125
IsDebuggerPresent
failed 0 0
1619615935.0915
IsDebuggerPresent
failed 0 0
1619615935.0915
IsDebuggerPresent
failed 0 0
1619615935.1535
IsDebuggerPresent
failed 0 0
1619615935.1695
IsDebuggerPresent
failed 0 0
1619615935.981498
IsDebuggerPresent
failed 0 0
1619615935.981498
IsDebuggerPresent
failed 0 0
1619615936.18625
IsDebuggerPresent
failed 0 0
1619615936.18625
IsDebuggerPresent
failed 0 0
1619615936.23225
IsDebuggerPresent
failed 0 0
1619615936.23225
IsDebuggerPresent
failed 0 0
1619615936.778498
IsDebuggerPresent
failed 0 0
1619615936.778498
IsDebuggerPresent
failed 0 0
1619615937.044625
IsDebuggerPresent
failed 0 0
1619615937.044625
IsDebuggerPresent
failed 0 0
1619615937.106625
IsDebuggerPresent
failed 0 0
1619615937.106625
IsDebuggerPresent
failed 0 0
1619615937.79475
IsDebuggerPresent
failed 0 0
1619615937.79475
IsDebuggerPresent
failed 0 0
1619615938.028375
IsDebuggerPresent
failed 0 0
1619615938.028375
IsDebuggerPresent
failed 0 0
1619615938.091375
IsDebuggerPresent
failed 0 0
1619615938.091375
IsDebuggerPresent
failed 0 0
1619615940.686
IsDebuggerPresent
failed 0 0
1619615940.686
IsDebuggerPresent
failed 0 0
1619615941.044375
IsDebuggerPresent
failed 0 0
1619615941.044375
IsDebuggerPresent
failed 0 0
1619615941.106375
IsDebuggerPresent
failed 0 0
1619615941.106375
IsDebuggerPresent
failed 0 0
1619615964.212168
IsDebuggerPresent
failed 0 0
1619615964.212168
IsDebuggerPresent
failed 0 0
Command line console output was observed (50 out of 58 个事件)
Time & API Arguments Status Return Repeated
1619615978.607
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619615978.623
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619615935.93625
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619615978.5915
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619615978.6065
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619615936.889
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619615978.591625
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619615978.591625
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619615937.778375
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619615978.606375
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619615978.622375
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619615938.951
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619615981.49775
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619615981.49775
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619615939.825625
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619615969.88875
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619615978.59175
WriteConsoleW
buffer: 另一个程序正在使用此文件,进程无法访问。
console_handle: 0x0000000b
success 1 0
1619615940.54525
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619615978.62325
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619615978.63925
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619615941.63875
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619615969.88925
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619615978.59225
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619615945.3415
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616002.11344
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619616002.11344
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619616002.25344
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619616002.25344
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619615989.766241
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616001.548718
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616004.603759
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619616004.603759
WriteConsoleW
buffer: 另一个程序正在使用此文件,进程无法访问。
console_handle: 0x0000000b
success 1 0
1619616002.881204
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616040.723626
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619616040.723626
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619616024.462957
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619616024.462957
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619616006.297305
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616006.972969
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616038.907719
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
console_handle: 0x00000007
success 1 0
1619616038.907719
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619616011.827164
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616016.504175
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616018.219884
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616019.491731
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616020.416552
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616021.568949
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616023.228917
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616024.743501
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
1619616025.098269
WriteConsoleW
buffer: Y
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619615928.373
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 1271 个事件)
Time & API Arguments Status Return Repeated
1619615927.639
NtAllocateVirtualMemory
process_identifier: 708
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007d0000
success 0 0
1619615927.639
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00950000
success 0 0
1619615928.123
NtAllocateVirtualMemory
process_identifier: 708
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00cc0000
success 0 0
1619615928.123
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e40000
success 0 0
1619615928.232
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619615928.342
NtAllocateVirtualMemory
process_identifier: 708
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00ea0000
success 0 0
1619615928.342
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01000000
success 0 0
1619615928.342
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619615928.357
NtProtectVirtualMemory
process_identifier: 708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619615928.357
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d2000
success 0 0
1619615928.748
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e2000
success 0 0
1619615928.811
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00405000
success 0 0
1619615928.811
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0040b000
success 0 0
1619615928.811
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00407000
success 0 0
1619615928.982
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e3000
success 0 0
1619615928.998
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003ec000
success 0 0
1619615929.076
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00610000
success 0 0
1619615929.123
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f6000
success 0 0
1619615929.139
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003fa000
success 0 0
1619615929.139
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f7000
success 0 0
1619615929.186
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e4000
success 0 0
1619615929.514
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e5000
success 0 0
1619615929.607
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00611000
success 0 0
1619615929.795
NtAllocateVirtualMemory
process_identifier: 708
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00630000
success 0 0
1619615932.779
NtAllocateVirtualMemory
process_identifier: 708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00612000
success 0 0
1619615931.1065
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x007c0000
success 0 0
1619615931.1065
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00930000
success 0 0
1619615931.1385
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c90000
success 0 0
1619615931.1385
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e80000
success 0 0
1619615931.1385
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619615931.1535
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00c90000
success 0 0
1619615931.1535
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e30000
success 0 0
1619615931.1535
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057a000
success 0 0
1619615931.1535
NtProtectVirtualMemory
process_identifier: 1380
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619615931.1535
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00572000
success 0 0
1619615931.1535
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00582000
success 0 0
1619615931.1695
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a5000
success 0 0
1619615931.1695
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ab000
success 0 0
1619615931.1695
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619615931.1855
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00583000
success 0 0
1619615931.6385
NtAllocateVirtualMemory
process_identifier: 1380
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e81000
success 0 0
1619615933.325875
NtAllocateVirtualMemory
process_identifier: 600
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619615933.325875
NtAllocateVirtualMemory
process_identifier: 600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00720000
success 0 0
1619615933.341875
NtAllocateVirtualMemory
process_identifier: 600
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x009a0000
success 0 0
1619615933.341875
NtAllocateVirtualMemory
process_identifier: 600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b10000
success 0 0
1619615933.341875
NtProtectVirtualMemory
process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619615933.341875
NtAllocateVirtualMemory
process_identifier: 600
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b50000
success 0 0
1619615933.341875
NtAllocateVirtualMemory
process_identifier: 600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00cf0000
success 0 0
1619615933.341875
NtAllocateVirtualMemory
process_identifier: 600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0070a000
success 0 0
1619615933.341875
NtProtectVirtualMemory
process_identifier: 600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
Creates a suspicious process (2 个事件)
cmdline cmd.exe /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
cmdline "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe
A process created a hidden window (31 个事件)
Time & API Arguments Status Return Repeated
1619615932.311
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615933.435875
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615934.2635
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615934.982125
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615936.075498
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615936.950498
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615937.90375
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615940.904
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615977.790168
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615982.729406
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619615997.560617
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616000.542585
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616001.693455
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616008.012872
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616013.249263
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616014.649038
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616015.688884
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616016.827156
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616018.120552
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616019.593041
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616020.963917
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616021.829922
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616025.882456
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616031.505049
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616032.195586
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616033.365283
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616034.749479
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616040.120653
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616041.040585
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616042.444253
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1619616043.90965
ShellExecuteExW
parameters: /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 6.894047758938161 section {'size_of_data': '0x0006f400', 'virtual_address': '0x00002000', 'entropy': 6.894047758938161, 'name': '.text', 'virtual_size': '0x0006f3f4'} description A section with a high entropy has been found
entropy 0.9977578475336323 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (31 个事件)
Time & API Arguments Status Return Repeated
1619615932.686
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615933.435875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615934.2635
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615934.982125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615936.075498
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615936.966498
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615937.90375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615940.904
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615977.790168
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615982.729406
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619615997.560617
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616000.558585
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616001.709455
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616008.012872
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616013.265263
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616014.649038
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616015.688884
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616016.827156
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616018.120552
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616019.593041
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616020.963917
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616021.829922
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616025.898456
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616031.505049
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616032.210586
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616033.380283
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616034.764479
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616040.120653
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616041.040585
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616042.444253
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619616043.90965
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (50 out of 60 个事件)
Time & API Arguments Status Return Repeated
1619615933.513875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
failed 0 0
1619615933.513875
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
success 0 0
1619615934.3255
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000390
failed 0 0
1619615934.3255
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000390
success 0 0
1619615935.061125
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
failed 0 0
1619615935.061125
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
success 0 0
1619615936.185498
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
failed 0 0
1619615936.185498
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
success 0 0
1619615937.060498
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000037c
failed 0 0
1619615937.060498
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000037c
success 0 0
1619615938.01375
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000038c
failed 0 0
1619615938.01375
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000038c
success 0 0
1619615952.217
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
failed 0 0
1619615952.217
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
success 0 0
1619615977.868168
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000038c
failed 0 0
1619615977.868168
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000038c
success 0 0
1619615986.510406
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
failed 0 0
1619615986.510406
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
success 0 0
1619615997.685617
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000398
failed 0 0
1619615997.685617
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000398
success 0 0
1619616000.652585
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
failed 0 0
1619616000.652585
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
success 0 0
1619616001.849455
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
failed 0 0
1619616001.849455
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
success 0 0
1619616008.121872
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
failed 0 0
1619616008.121872
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
success 0 0
1619616013.374263
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000037c
failed 0 0
1619616013.374263
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000037c
success 0 0
1619616014.790038
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000038c
failed 0 0
1619616014.790038
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000038c
success 0 0
1619616015.813884
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
failed 0 0
1619616015.813884
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
success 0 0
1619616016.999156
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
failed 0 0
1619616016.999156
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
success 0 0
1619616018.291552
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
failed 0 0
1619616018.291552
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
success 0 0
1619616019.765041
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
failed 0 0
1619616019.765041
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
success 0 0
1619616021.197917
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
failed 0 0
1619616021.197917
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
success 0 0
1619616021.985922
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
failed 0 0
1619616021.985922
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000380
success 0 0
1619616026.070456
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000037c
failed 0 0
1619616026.070456
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x0000037c
success 0 0
1619616031.692049
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
failed 0 0
1619616031.692049
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
success 0 0
1619616032.460586
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
failed 0 0
1619616032.460586
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000384
success 0 0
1619616033.615283
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
failed 0 0
1619616033.615283
NtTerminateProcess
status_code: 0x00000001
process_identifier: 0
process_handle: 0x00000388
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline cmd.exe /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
cmdline "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6791daf81304df6707b24d58f01fed78.exe"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Manipulates memory of a non-child process indicative of process injection (10 个事件)
Process injection Process 3340 manipulating memory of non-child process 3396
Process injection Process 3704 manipulating memory of non-child process 3852
Process injection Process 2316 manipulating memory of non-child process 2764
Process injection Process 2316 manipulating memory of non-child process 1124
Process injection Process 3816 manipulating memory of non-child process 4440
Time & API Arguments Status Return Repeated
1619615934.2005
NtAllocateVirtualMemory
process_identifier: 3396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000214
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615937.85675
NtAllocateVirtualMemory
process_identifier: 3852
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000210
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615989.107617
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000210
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619615996.700617
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000224
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
1619616014.009038
NtAllocateVirtualMemory
process_identifier: 4440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000210
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000a0000
success 0 0
File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.Siggen9.34521
MicroWorld-eScan Trojan.GenericKD.33623950
McAfee GenericRXKD-BT!6791DAF81304
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.Win32.Generic.4!c
K7AntiVirus Trojan ( 0056081c1 )
BitDefender Trojan.GenericKD.33623950
K7GW Trojan ( 0056081c1 )
Cybereason malicious.81304d
BitDefenderTheta Gen:NN.ZemsilF.34700.BmW@aOzDT@o
Cyren W32/MSIL_Kryptik.AJK.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
Kaspersky HEUR:Trojan-Ransom.Win32.Convagent.gen
Alibaba Trojan:Win32/csharp.ali2000008
NANO-Antivirus Trojan.Win32.AveMaria.hifzwd
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKD.33623950
Emsisoft Trojan.GenericKD.33623950 (B)
F-Secure Heuristic.HEUR/AGEN.1116674
TrendMicro TROJ_GEN.R06EC0DI220
McAfee-GW-Edition BehavesLike.Win32.Generic.gh
FireEye Generic.mg.6791daf81304df67
Sophos Mal/Generic-R + Troj/Hawkey-FD
Ikarus Trojan.MSIL.Inject
GData Trojan.GenericKD.33623950
Jiangmin Trojan.Generic.eqsqh
Webroot W32.Malware.Gen
Avira HEUR/AGEN.1116674
Antiy-AVL Trojan/Win32.Wacatac
Arcabit Trojan.Generic.D2010F8E
ZoneAlarm HEUR:Trojan-Ransom.Win32.Convagent.gen
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_Generic.C4078602
Acronis suspicious
VBA32 TScope.Trojan.MSIL
ALYac Trojan.GenericKD.33623950
MAX malware (ai score=86)
Malwarebytes Trojan.RNDCrypt.MSIL.Generic
Panda Trj/Dropper.FU
ESET-NOD32 a variant of MSIL/Injector.UTT
TrendMicro-HouseCall TROJ_GEN.R06EC0DI220
SentinelOne Static AI - Suspicious PE
Fortinet MSIL/Injector.UTT!tr
AVG Win32:TrojanX-gen [Trj]
Paloalto generic.ml
CrowdStrike win/malicious_confidence_100% (W)
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-07 14:14:09

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.