15.8
0-day
该样本未表现出任何异常!
重新分析
更多

7de66655b24d62fb2fcdeb1e20299f6b5f9c3beaa4485acf6f4b12c7aa8874ea

313b7f681fbab1be58ee1ec570a5dbbb.exe

分析耗时

108s

最近分析

文件大小

1.5MB
静态报毒 动态报毒 FYNLOSKI
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Command line console output was observed (4 个事件)
Time & API Arguments Status Return Repeated
1619379784.877876
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619379784.877876
WriteConsoleW
buffer: REG
console_handle: 0x00000007
success 1 0
1619379784.877876
WriteConsoleW
buffer: ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe" /f
console_handle: 0x00000007
success 1 0
1619379785.160124
WriteConsoleW
buffer: 操作成功完成。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619379793.174499
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619379783.580626
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1636412
registers.edi: 1636688
registers.eax: 1636412
registers.ebp: 1636492
registers.edx: 0
registers.ebx: 5142160
registers.esi: 1636688
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain mrsnickers03.no-ip.biz
Allocates read-write-execute memory (usually to unpack itself) (50 out of 72 个事件)
Time & API Arguments Status Return Repeated
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00670000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00680000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006e0000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006f0000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00700000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00710000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00720000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00730000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00740000
success 0 0
1619379770.518751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00750000
success 0 0
1619379770.534751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00760000
success 0 0
1619379770.549751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02650000
success 0 0
1619379770.549751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02660000
success 0 0
1619379770.549751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02670000
success 0 0
1619379770.549751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02680000
success 0 0
1619379770.549751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02690000
success 0 0
1619379770.549751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026a0000
success 0 0
1619379770.549751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026b0000
success 0 0
1619379770.549751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02800000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02810000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02820000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02830000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02840000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02850000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02860000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02870000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028c0000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028d0000
success 0 0
1619379771.080751
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028e0000
success 0 0
1619379771.159876
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619379771.252626
NtProtectVirtualMemory
process_identifier: 1888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619379833.393876
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004600000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00620000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00630000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00640000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00650000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00660000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02640000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02790000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a0000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027b0000
success 0 0
1619379790.159374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c0000
success 0 0
1619379790.174374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x029d0000
success 0 0
1619379790.174374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x029e0000
success 0 0
1619379790.174374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x029f0000
success 0 0
1619379790.174374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a00000
success 0 0
1619379790.174374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a10000
success 0 0
1619379790.174374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a20000
success 0 0
1619379790.174374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a30000
success 0 0
1619379790.174374
NtAllocateVirtualMemory
process_identifier: 2964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a40000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (1 个事件)
name RT_VERSION offset 0x001799d0 filetype data sublanguage SUBLANG_ARABIC_MOROCCO size 0x00000380
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Creates a suspicious process (1 个事件)
cmdline C:\Windows\System32\svchost.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619379784.612626
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\YMKJN.bat
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\YMKJN.bat
show_type: 0
success 1 0
1619379789.205626
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
show_type: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619379769.315751
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00640000
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (50 out of 51 个事件)
Time & API Arguments Status Return Repeated
1619379792.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379793.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379795.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379796.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379798.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379799.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379801.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379802.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379804.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379805.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379807.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379808.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379810.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379811.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379813.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379814.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379816.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379817.502751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379819.002751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379820.518751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379822.018751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379823.518751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379825.034751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379826.534751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379828.034751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379829.549751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379831.080751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379832.580751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379834.080751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379835.580751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379837.080751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379838.596751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379840.096751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379841.596751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379843.096751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379844.627751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379846.143751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379847.643751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379849.143751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379850.643751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379852.143751
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379793.190499
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1619379793.190499
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1619379793.190499
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1619379793.205499
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1619379793.205499
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1619379793.205499
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1619379793.205499
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619379793.205499
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1619379793.205499
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
Created a process named as a common system process (2 个事件)
Time & API Arguments Status Return Repeated
1619379770.877751
CreateProcessInternalW
thread_identifier: 1912
thread_handle: 0x000000c0
process_identifier: 2620
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619379790.190374
CreateProcessInternalW
thread_identifier: 192
thread_handle: 0x000000c0
process_identifier: 2764
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe" /f
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 78aac5cf2801892bb1d7bf0b50b4967009c577e6
buffer Buffer with sha1: 4598324d029030a6552b779d502e63a4f7687cb7
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619379770.877751
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619379771.096751
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619379790.190374
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619379790.299374
NtAllocateVirtualMemory
process_identifier: 3128
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619379790.330374
NtAllocateVirtualMemory
process_identifier: 3192
region_size: 749568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000d4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\java reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Detects Avast Antivirus through the presence of a library (4 个事件)
Time & API Arguments Status Return Repeated
1619379770.518751
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619379770.518751
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619379790.159374
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619379790.159374
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
Creates known Fynloski/DarkComet files, registry keys and/or mutexes (3 个事件)
mutex DC_MUTEX-6ZFK11A
regkey HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey HKEY_CURRENT_USER\Software\DC2_USERS
Potential code injection by writing to the memory of another process (13 个事件)
Time & API Arguments Status Return Repeated
1619379770.877751
WriteProcessMemory
process_identifier: 2620
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619379770.893751
WriteProcessMemory
process_identifier: 2620
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619379770.893751
WriteProcessMemory
process_identifier: 2620
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619379770.893751
WriteProcessMemory
process_identifier: 2620
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619379771.096751
WriteProcessMemory
process_identifier: 1888
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619379771.096751
WriteProcessMemory
process_identifier: 1888
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619379790.299374
WriteProcessMemory
process_identifier: 3128
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619379790.299374
WriteProcessMemory
process_identifier: 3128
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
1619379790.330374
WriteProcessMemory
process_identifier: 3192
buffer: @
process_handle: 0x000000d4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619379770.877751
WriteProcessMemory
process_identifier: 2620
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619379793.221499
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x004818f8
module_address: 0x00400000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 66031 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (10 个事件)
Process injection Process 2420 called NtSetContextThread to modify thread in remote process 2620
Process injection Process 2420 called NtSetContextThread to modify thread in remote process 1888
Process injection Process 2964 called NtSetContextThread to modify thread in remote process 2764
Process injection Process 2964 called NtSetContextThread to modify thread in remote process 3128
Process injection Process 2964 called NtSetContextThread to modify thread in remote process 3192
Time & API Arguments Status Return Repeated
1619379770.893751
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 2292820
registers.edi: 0
registers.eax: 4239360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2620
success 0 0
1619379771.096751
NtSetContextThread
thread_handle: 0x000000d0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4228560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1888
success 0 0
1619379790.190374
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 915764
registers.edi: 0
registers.eax: 4239360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2764
success 0 0
1619379790.299374
NtSetContextThread
thread_handle: 0x000000d0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4228560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3128
success 0 0
1619379790.330374
NtSetContextThread
thread_handle: 0x000000d8
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4936208
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3192
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (14 个事件)
Process injection Process 2420 resumed a thread in remote process 2620
Process injection Process 2420 resumed a thread in remote process 1888
Process injection Process 1888 resumed a thread in remote process 284
Process injection Process 1888 resumed a thread in remote process 2964
Process injection Process 2964 resumed a thread in remote process 2764
Process injection Process 2964 resumed a thread in remote process 3128
Process injection Process 2964 resumed a thread in remote process 3192
Time & API Arguments Status Return Repeated
1619379771.018751
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 2620
success 0 0
1619379771.112751
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1888
success 0 0
1619379784.534626
NtResumeThread
thread_handle: 0x000001a0
suspend_count: 1
process_identifier: 284
success 0 0
1619379789.205626
NtResumeThread
thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 2964
success 0 0
1619379790.221374
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 2764
success 0 0
1619379790.315374
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 3128
success 0 0
1619379790.362374
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 3192
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 65 个事件)
Time & API Arguments Status Return Repeated
1619379770.877751
CreateProcessInternalW
thread_identifier: 1912
thread_handle: 0x000000c0
process_identifier: 2620
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619379770.877751
NtUnmapViewOfSection
process_identifier: 2620
region_size: 1441792
process_handle: 0x000000c8
base_address: 0x00400000
failed 3221225497 0
1619379770.877751
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619379770.877751
WriteProcessMemory
process_identifier: 2620
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619379770.877751
WriteProcessMemory
process_identifier: 2620
buffer:
process_handle: 0x000000c8
base_address: 0x00401000
failed 0 0
1619379770.877751
WriteProcessMemory
process_identifier: 2620
buffer:
process_handle: 0x000000c8
base_address: 0x00407000
success 1 0
1619379770.893751
WriteProcessMemory
process_identifier: 2620
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619379770.893751
WriteProcessMemory
process_identifier: 2620
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619379770.893751
NtGetContextThread
thread_handle: 0x000000c0
success 0 0
1619379770.893751
WriteProcessMemory
process_identifier: 2620
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619379770.893751
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 2292820
registers.edi: 0
registers.eax: 4239360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2620
success 0 0
1619379771.018751
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 2620
success 0 0
1619379771.096751
CreateProcessInternalW
thread_identifier: 1940
thread_handle: 0x000000d0
process_identifier: 1888
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\313b7f681fbab1be58ee1ec570a5dbbb.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\313b7f681fbab1be58ee1ec570a5dbbb.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619379771.096751
NtUnmapViewOfSection
process_identifier: 1888
region_size: 4096
process_handle: 0x000000cc
base_address: 0x00400000
success 0 0
1619379771.096751
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619379771.096751
WriteProcessMemory
process_identifier: 1888
buffer:
process_handle: 0x000000cc
base_address: 0x00400000
success 1 0
1619379771.096751
WriteProcessMemory
process_identifier: 1888
buffer:
process_handle: 0x000000cc
base_address: 0x00401000
failed 0 0
1619379771.096751
WriteProcessMemory
process_identifier: 1888
buffer:
process_handle: 0x000000cc
base_address: 0x00407000
success 1 0
1619379771.096751
WriteProcessMemory
process_identifier: 1888
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619379771.096751
NtGetContextThread
thread_handle: 0x000000d0
success 0 0
1619379771.096751
WriteProcessMemory
process_identifier: 1888
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
1619379771.096751
NtSetContextThread
thread_handle: 0x000000d0
registers.eip: 2010382788
registers.esp: 1638384
registers.edi: 0
registers.eax: 4228560
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1888
success 0 0
1619379771.112751
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 1888
success 0 0
1619379784.002626
NtResumeThread
thread_handle: 0x00000210
suspend_count: 1
process_identifier: 1888
success 0 0
1619379784.268626
CreateProcessInternalW
thread_identifier: 732
thread_handle: 0x000001a0
process_identifier: 284
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\YMKJN.bat"
filepath_r:
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000258
inherit_handles: 0
success 1 0
1619379784.534626
NtResumeThread
thread_handle: 0x000001a0
suspend_count: 1
process_identifier: 284
success 0 0
1619379789.159626
CreateProcessInternalW
thread_identifier: 1124
thread_handle: 0x000002c8
process_identifier: 2964
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002b8
inherit_handles: 0
success 1 0
1619379789.205626
NtResumeThread
thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 2964
success 0 0
1619379784.940876
CreateProcessInternalW
thread_identifier: 2960
thread_handle: 0x00000084
process_identifier: 2772
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\reg.exe
track: 1
command_line: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe" /f
filepath_r: C:\Windows\system32\reg.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000080
inherit_handles: 1
success 1 0
1619379790.190374
CreateProcessInternalW
thread_identifier: 192
thread_handle: 0x000000c0
process_identifier: 2764
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619379790.190374
NtUnmapViewOfSection
process_identifier: 2764
region_size: 1441792
process_handle: 0x000000c8
base_address: 0x00400000
failed 3221225497 0
1619379790.190374
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer:
process_handle: 0x000000c8
base_address: 0x00401000
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer:
process_handle: 0x000000c8
base_address: 0x00407000
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619379790.190374
NtGetContextThread
thread_handle: 0x000000c0
success 0 0
1619379790.190374
WriteProcessMemory
process_identifier: 2764
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619379790.190374
NtSetContextThread
thread_handle: 0x000000c0
registers.eip: 2010382788
registers.esp: 915764
registers.edi: 0
registers.eax: 4239360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2764
success 0 0
1619379790.221374
NtResumeThread
thread_handle: 0x000000c0
suspend_count: 1
process_identifier: 2764
success 0 0
1619379790.299374
CreateProcessInternalW
thread_identifier: 3132
thread_handle: 0x000000d0
process_identifier: 3128
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619379790.299374
NtUnmapViewOfSection
process_identifier: 3128
region_size: 4096
process_handle: 0x000000cc
base_address: 0x00400000
success 0 0
1619379790.299374
NtAllocateVirtualMemory
process_identifier: 3128
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619379790.299374
WriteProcessMemory
process_identifier: 3128
buffer:
process_handle: 0x000000cc
base_address: 0x00400000
success 1 0
1619379790.299374
WriteProcessMemory
process_identifier: 3128
buffer:
process_handle: 0x000000cc
base_address: 0x00401000
failed 0 0
1619379790.299374
WriteProcessMemory
process_identifier: 3128
buffer:
process_handle: 0x000000cc
base_address: 0x00407000
success 1 0
1619379790.299374
WriteProcessMemory
process_identifier: 3128
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619379790.299374
NtGetContextThread
thread_handle: 0x000000d0
success 0 0
1619379790.299374
WriteProcessMemory
process_identifier: 3128
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-09-05 08:15:40

Imports

Library MSVBVM60.DLL:
0x401000 MethCallEngine
0x401004
0x401008 EVENT_SINK_AddRef
0x40100c
0x401010
0x401014 DllFunctionCall
0x401018 EVENT_SINK_Release
0x401020 __vbaExceptHandler
0x401024
0x401028 ProcCallEngine
0x40102c

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.