15.4
0-day
59 个模型检测该样本为恶意!
重新分析
更多

15c86d9addf12cd01b56ccd956bb2716558450815f7d1ef2a515848e7240b6df

0029b584f6340836dfba8d26a8171dac.exe

分析耗时

104s

最近分析

文件大小

1.5MB
静态报毒 动态报毒 100% A + MAL ADCD@8RNP34 AI SCORE=82 AIDETECTVM AMPM ATTRIBUTE AZ8D6EXO22F AZAT CCW5BSGI+5A CONFIDENCE DARKEYE DXWDRC EN0@AU7E75LG ESWS FYNLOSKI GENASA GENCIRC GENERICR GENETIC HIGH CONFIDENCE HIGHCONFIDENCE MALICIOUS PE MALWARE1 OCCAMY QVM03 R335725 RAZY SCORE SEZF SIGGEN STATIC AI SUSGEN TOOL TRMC UNSAFE XJHFH ZAPCHAST ZEVBAF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/VBInject.4e36d9a8 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Agent-AZAT [Trj] 20201210 21.1.5827.0
Kingsoft 20201211 2017.9.26.565
McAfee GenericR-EPS!0029B584F634 20201211 6.0.6.653
Tencent Malware.Win32.Gencirc.10b7d08d 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Command line console output was observed (4 个事件)
Time & API Arguments Status Return Repeated
1619140887.997499
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619140887.997499
WriteConsoleW
buffer: REG
console_handle: 0x00000007
success 1 0
1619140887.997499
WriteConsoleW
buffer: ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe" /f
console_handle: 0x00000007
success 1 0
1619140888.372374
WriteConsoleW
buffer: 操作成功完成。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619140899.153999
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619140886.122501
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1636412
registers.edi: 1636688
registers.eax: 1636412
registers.ebp: 1636492
registers.edx: 0
registers.ebx: 4880016
registers.esi: 1636688
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain mrsnickers03.no-ip.biz
Allocates read-write-execute memory (usually to unpack itself) (50 out of 72 个事件)
Time & API Arguments Status Return Repeated
1619134512.726315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619134512.726315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00590000
success 0 0
1619134512.726315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a0000
success 0 0
1619134512.726315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b0000
success 0 0
1619134512.726315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c0000
success 0 0
1619134512.726315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d0000
success 0 0
1619134512.726315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e0000
success 0 0
1619134512.726315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f0000
success 0 0
1619134512.742315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00600000
success 0 0
1619134512.742315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00610000
success 0 0
1619134512.867315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00720000
success 0 0
1619134512.883315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00730000
success 0 0
1619134512.898315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00740000
success 0 0
1619134512.898315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00750000
success 0 0
1619134512.898315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00760000
success 0 0
1619134512.898315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00770000
success 0 0
1619134512.898315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00780000
success 0 0
1619134512.898315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00790000
success 0 0
1619134512.898315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007a0000
success 0 0
1619134513.836315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007b0000
success 0 0
1619134513.836315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c0000
success 0 0
1619134513.851315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00810000
success 0 0
1619134513.851315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00820000
success 0 0
1619134513.851315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00830000
success 0 0
1619134513.851315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00840000
success 0 0
1619134513.851315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00850000
success 0 0
1619134513.851315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00860000
success 0 0
1619134513.851315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00870000
success 0 0
1619134513.851315
NtAllocateVirtualMemory
process_identifier: 648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00880000
success 0 0
1619140883.654249
NtProtectVirtualMemory
process_identifier: 2740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619140884.325501
NtProtectVirtualMemory
process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619140527.01727
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000003e60000
success 0 0
1619140895.888876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619140895.888876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00590000
success 0 0
1619140895.888876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a0000
success 0 0
1619140895.903876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b0000
success 0 0
1619140895.903876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c0000
success 0 0
1619140895.903876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d0000
success 0 0
1619140895.919876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e0000
success 0 0
1619140895.919876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00630000
success 0 0
1619140895.919876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00640000
success 0 0
1619140895.919876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00650000
success 0 0
1619140896.107876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00660000
success 0 0
1619140896.138876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f70000
success 0 0
1619140896.138876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f80000
success 0 0
1619140896.138876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f90000
success 0 0
1619140896.138876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fa0000
success 0 0
1619140896.138876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fb0000
success 0 0
1619140896.138876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fc0000
success 0 0
1619140896.138876
NtAllocateVirtualMemory
process_identifier: 3176
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fd0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (1 个事件)
name RT_VERSION offset 0x001799d0 filetype data sublanguage SUBLANG_ARABIC_MOROCCO size 0x00000380
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Creates a suspicious process (1 个事件)
cmdline C:\Windows\System32\svchost.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619140887.669501
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\REBQY.bat
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\REBQY.bat
show_type: 0
success 1 0
1619140894.435501
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
show_type: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619134511.336315
NtProtectVirtualMemory
process_identifier: 648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x003d0000
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (50 out of 58 个事件)
Time & API Arguments Status Return Repeated
1619140899.294999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140900.810999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140902.341999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140903.888999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140905.403999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140906.919999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140908.435999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140909.950999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140911.466999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140912.997999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140914.513999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140916.060999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140917.575999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140919.091999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140920.622999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140922.138999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140923.653999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140925.185999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140926.716999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140928.232999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140929.747999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140931.278999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140932.794999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140934.310999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140935.825999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140937.341999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140938.872999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140940.419999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140941.950999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140943.482999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140945.013999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140946.544999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140948.060999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140949.560999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140951.122999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140952.653999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140954.169999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140955.700999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140957.216999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140958.935999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140960.513999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140962.028999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140963.591999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140965.153999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140966.732999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140968.247999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140969.794999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140971.388999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619140899.185999
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1619140899.216999
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
Created a process named as a common system process (2 个事件)
Time & API Arguments Status Return Repeated
1619134513.304315
CreateProcessInternalW
thread_identifier: 2440
thread_handle: 0x000000c0
process_identifier: 2740
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619140896.278876
CreateProcessInternalW
thread_identifier: 3256
thread_handle: 0x000000c0
process_identifier: 3252
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe" /f
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 78aac5cf2801892bb1d7bf0b50b4967009c577e6
buffer Buffer with sha1: 4598324d029030a6552b779d502e63a4f7687cb7
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619134513.304315
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619134513.883315
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619140896.278876
NtAllocateVirtualMemory
process_identifier: 3252
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619140897.075876
NtAllocateVirtualMemory
process_identifier: 3320
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619140897.622876
NtAllocateVirtualMemory
process_identifier: 3384
region_size: 749568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000d4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\java reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Detects Avast Antivirus through the presence of a library (4 个事件)
Time & API Arguments Status Return Repeated
1619134512.742315
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619134512.742315
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619140895.919876
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619140895.919876
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
Creates known Fynloski/DarkComet files, registry keys and/or mutexes (3 个事件)
mutex DC_MUTEX-6ZFK11A
regkey HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey HKEY_CURRENT_USER\Software\DC2_USERS
Potential code injection by writing to the memory of another process (13 个事件)
Time & API Arguments Status Return Repeated
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619134513.883315
WriteProcessMemory
process_identifier: 2536
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619134513.883315
WriteProcessMemory
process_identifier: 2536
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619140897.075876
WriteProcessMemory
process_identifier: 3320
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619140897.075876
WriteProcessMemory
process_identifier: 3320
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
1619140897.622876
WriteProcessMemory
process_identifier: 3384
buffer: @
process_handle: 0x000000d4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619140899.294999
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x004818f8
module_address: 0x00400000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 66045 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (10 个事件)
Process injection Process 648 called NtSetContextThread to modify thread in remote process 2740
Process injection Process 648 called NtSetContextThread to modify thread in remote process 2536
Process injection Process 3176 called NtSetContextThread to modify thread in remote process 3252
Process injection Process 3176 called NtSetContextThread to modify thread in remote process 3320
Process injection Process 3176 called NtSetContextThread to modify thread in remote process 3384
Time & API Arguments Status Return Repeated
1619134513.304315
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 2817100
registers.edi: 0
registers.eax: 4239360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2740
success 0 0
1619134513.883315
NtSetContextThread
thread_handle: 0x000000d0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4228560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2536
success 0 0
1619140896.278876
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 1767584
registers.edi: 0
registers.eax: 4239360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3252
success 0 0
1619140897.075876
NtSetContextThread
thread_handle: 0x000000d0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4228560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3320
success 0 0
1619140897.622876
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4936208
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3384
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (14 个事件)
Process injection Process 648 resumed a thread in remote process 2740
Process injection Process 648 resumed a thread in remote process 2536
Process injection Process 2536 resumed a thread in remote process 2200
Process injection Process 2536 resumed a thread in remote process 3176
Process injection Process 3176 resumed a thread in remote process 3252
Process injection Process 3176 resumed a thread in remote process 3320
Process injection Process 3176 resumed a thread in remote process 3384
Time & API Arguments Status Return Repeated
1619134513.711315
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 2740
success 0 0
1619134514.336315
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2536
success 0 0
1619140887.669501
NtResumeThread
thread_handle: 0x0000026c
suspend_count: 1
process_identifier: 2200
success 0 0
1619140894.435501
NtResumeThread
thread_handle: 0x000002cc
suspend_count: 1
process_identifier: 3176
success 0 0
1619140896.607876
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 3252
success 0 0
1619140897.419876
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 3320
success 0 0
1619140898.060876
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3384
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 65 个事件)
Time & API Arguments Status Return Repeated
1619134513.304315
CreateProcessInternalW
thread_identifier: 2440
thread_handle: 0x000000c0
process_identifier: 2740
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619134513.304315
NtUnmapViewOfSection
process_identifier: 2740
region_size: 4259840
process_handle: 0x000000c8
base_address: 0x00400000
failed 3221225497 0
1619134513.304315
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer:
process_handle: 0x000000c8
base_address: 0x00401000
failed 0 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer:
process_handle: 0x000000c8
base_address: 0x00407000
success 1 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619134513.304315
NtGetContextThread
thread_handle: 0x000000c0
success 0 0
1619134513.304315
WriteProcessMemory
process_identifier: 2740
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619134513.304315
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 2817100
registers.edi: 0
registers.eax: 4239360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2740
success 0 0
1619134513.711315
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 2740
success 0 0
1619134513.883315
CreateProcessInternalW
thread_identifier: 2476
thread_handle: 0x000000d0
process_identifier: 2536
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0029b584f6340836dfba8d26a8171dac.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\0029b584f6340836dfba8d26a8171dac.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619134513.883315
NtUnmapViewOfSection
process_identifier: 2536
region_size: 4096
process_handle: 0x000000cc
base_address: 0x00400000
success 0 0
1619134513.883315
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619134513.883315
WriteProcessMemory
process_identifier: 2536
buffer:
process_handle: 0x000000cc
base_address: 0x00400000
success 1 0
1619134513.883315
WriteProcessMemory
process_identifier: 2536
buffer:
process_handle: 0x000000cc
base_address: 0x00401000
failed 0 0
1619134513.883315
WriteProcessMemory
process_identifier: 2536
buffer:
process_handle: 0x000000cc
base_address: 0x00407000
success 1 0
1619134513.883315
WriteProcessMemory
process_identifier: 2536
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619134513.883315
NtGetContextThread
thread_handle: 0x000000d0
success 0 0
1619134513.883315
WriteProcessMemory
process_identifier: 2536
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
1619134513.883315
NtSetContextThread
thread_handle: 0x000000d0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4228560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2536
success 0 0
1619134514.336315
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2536
success 0 0
1619140886.857501
NtResumeThread
thread_handle: 0x00000210
suspend_count: 1
process_identifier: 2536
success 0 0
1619140887.185501
CreateProcessInternalW
thread_identifier: 2996
thread_handle: 0x0000026c
process_identifier: 2200
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\REBQY.bat"
filepath_r:
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000270
inherit_handles: 0
success 1 0
1619140887.669501
NtResumeThread
thread_handle: 0x0000026c
suspend_count: 1
process_identifier: 2200
success 0 0
1619140894.044501
CreateProcessInternalW
thread_identifier: 3180
thread_handle: 0x000002cc
process_identifier: 3176
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002bc
inherit_handles: 0
success 1 0
1619140894.435501
NtResumeThread
thread_handle: 0x000002cc
suspend_count: 1
process_identifier: 3176
success 0 0
1619140888.138499
CreateProcessInternalW
thread_identifier: 2196
thread_handle: 0x00000084
process_identifier: 2712
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\reg.exe
track: 1
command_line: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe" /f
filepath_r: C:\Windows\system32\reg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000080
inherit_handles: 1
success 1 0
1619140896.278876
CreateProcessInternalW
thread_identifier: 3256
thread_handle: 0x000000c0
process_identifier: 3252
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619140896.278876
NtUnmapViewOfSection
process_identifier: 3252
region_size: 4259840
process_handle: 0x000000c8
base_address: 0x00400000
failed 3221225497 0
1619140896.278876
NtAllocateVirtualMemory
process_identifier: 3252
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer:
process_handle: 0x000000c8
base_address: 0x00401000
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer:
process_handle: 0x000000c8
base_address: 0x00407000
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619140896.278876
NtGetContextThread
thread_handle: 0x000000c0
success 0 0
1619140896.278876
WriteProcessMemory
process_identifier: 3252
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619140896.278876
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 1767584
registers.edi: 0
registers.eax: 4239360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3252
success 0 0
1619140896.607876
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 3252
success 0 0
1619140897.075876
CreateProcessInternalW
thread_identifier: 3324
thread_handle: 0x000000d0
process_identifier: 3320
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619140897.075876
NtUnmapViewOfSection
process_identifier: 3320
region_size: 4096
process_handle: 0x000000cc
base_address: 0x00400000
success 0 0
1619140897.075876
NtAllocateVirtualMemory
process_identifier: 3320
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619140897.075876
WriteProcessMemory
process_identifier: 3320
buffer:
process_handle: 0x000000cc
base_address: 0x00400000
success 1 0
1619140897.075876
WriteProcessMemory
process_identifier: 3320
buffer:
process_handle: 0x000000cc
base_address: 0x00401000
failed 0 0
1619140897.075876
WriteProcessMemory
process_identifier: 3320
buffer:
process_handle: 0x000000cc
base_address: 0x00407000
success 1 0
1619140897.075876
WriteProcessMemory
process_identifier: 3320
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619140897.075876
NtGetContextThread
thread_handle: 0x000000d0
success 0 0
1619140897.075876
WriteProcessMemory
process_identifier: 3320
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-09-05 08:15:40

Imports

Library MSVBVM60.DLL:
0x401000 MethCallEngine
0x401004
0x401008 EVENT_SINK_AddRef
0x40100c
0x401010
0x401014 DllFunctionCall
0x401018 EVENT_SINK_Release
0x401020 __vbaExceptHandler
0x401024
0x401028 ProcCallEngine
0x40102c

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 51811 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62194 239.255.255.250 1900
192.168.56.101 63430 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.