11.0
0-day
58 个模型检测该样本为恶意!
重新分析
更多

d402ac5a98fe1a739abee82fb4aa5264a03347b24f93812f808e645b809c36db

35c2371a2707534baa2cc4d47ab7bf53.exe

分析耗时

112s

最近分析

文件大小

1.0MB
静态报毒 动态报毒 AI SCORE=88 AIDETECTVM ALI2000015 AUTOG BHW@A8NK0WEI CLASSIC CONFIDENCE DELF DELFINJECT DELPHILESS ELDORADO EMVU EMZL FAREIT GENERICIH HIGH CONFIDENCE HQGCEL KRYPTIK KXYRZ LLHI MALWARE2 NONAME@0 PWSX QUASAR R057C0DH420 RATNET S15413981 SCORE SUSGEN SUSPICIOUS PE TSCOPE UNSAFE X2091 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!35C2371A2707 20200827 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Avast Win32:PWSX-gen [Trj] 20200827 18.4.3895.0
Tencent Win32.Trojan.Kryptik.Llhi 20200827 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200827 2013.8.14.323
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (9 个事件)
Time & API Arguments Status Return Repeated
1619361325.04925
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x750f4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x750f5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd8d148d
success 0 0
1619361332.814502
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751a4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751a5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4c148d
success 0 0
1619361337.470875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff62148d
success 0 0
1619361344.111375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751a4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751a5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4d148d
success 0 0
1619361349.674125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4a148d
success 0 0
1619361362.939625
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751a4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751a5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb6148d
success 0 0
1619361373.29925
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75154b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75155d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb9148d
success 0 0
1619361380.361625
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff54148d
success 0 0
1619361385.767625
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
skkfsfsdgf+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75104b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75105d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdbf148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 285 个事件)
Time & API Arguments Status Return Repeated
1619345033.91311
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619345034.03811
NtProtectVirtualMemory
process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619345034.03811
NtAllocateVirtualMemory
process_identifier: 2292
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f80000
success 0 0
1619361323.017875
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005e0000
success 0 0
1619361323.048875
NtProtectVirtualMemory
process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619361323.048875
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00620000
success 0 0
1619361324.22125
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619361324.28425
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x020b0000
success 0 0
1619361324.28425
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02290000
success 0 0
1619361324.28425
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ff0000
success 0 0
1619361324.28425
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ff2000
success 0 0
1619361324.98725
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361324.98725
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619361324.98725
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361324.98725
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619361324.98725
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361324.98725
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619361324.98725
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361324.98725
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00372000
success 0 0
1619361325.00225
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619361324.5015
NtAllocateVirtualMemory
process_identifier: 3136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00800000
success 0 0
1619361324.5335
NtProtectVirtualMemory
process_identifier: 3136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619361324.5335
NtAllocateVirtualMemory
process_identifier: 3136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00840000
success 0 0
1619361331.11175
NtAllocateVirtualMemory
process_identifier: 3268
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619361331.48675
NtProtectVirtualMemory
process_identifier: 3268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00476000
success 0 0
1619361331.48675
NtAllocateVirtualMemory
process_identifier: 3268
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ea0000
success 0 0
1619361332.704502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619361332.736502
NtAllocateVirtualMemory
process_identifier: 3336
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f70000
success 0 0
1619361332.736502
NtAllocateVirtualMemory
process_identifier: 3336
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020d0000
success 0 0
1619361332.736502
NtAllocateVirtualMemory
process_identifier: 3336
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f70000
success 0 0
1619361332.736502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f72000
success 0 0
1619361332.814502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f62000
success 0 0
1619361332.814502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619361332.814502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f62000
success 0 0
1619361332.814502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619361332.814502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f62000
success 0 0
1619361332.814502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619361332.814502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f62000
success 0 0
1619361332.814502
NtProtectVirtualMemory
process_identifier: 3336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (30 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.5948260462367445 section {'size_of_data': '0x00073800', 'virtual_address': '0x0009a000', 'entropy': 7.5948260462367445, 'name': '.rsrc', 'virtual_size': '0x000737b0'} description A section with a high entropy has been found
entropy 0.43853820598006643 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process skkfsfsdgf.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (29 个事件)
Time & API Arguments Status Return Repeated
1619345034.06911
Process32NextW
process_name: 35c2371a2707534baa2cc4d47ab7bf53.exe
snapshot_handle: 0x000000f4
process_identifier: 2292
failed 0 0
1619361323.048875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2476
failed 0 0
1619361324.5485
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3204
failed 0 0
1619361330.6425
Process32NextW
process_name: skkfsfsdgf.exe
snapshot_handle: 0x00000190
process_identifier: 3136
failed 0 0
1619361331.50175
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3324
failed 0 0
1619361333.704625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3492
failed 0 0
1619361334.642625
Process32NextW
process_name: skkfsfsdgf.exe
snapshot_handle: 0x0000010c
process_identifier: 3400
failed 0 0
1619361335.986875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3572
failed 0 0
1619361338.033625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3712
failed 0 0
1619361340.376625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000138
process_identifier: 3744
failed 0 0
1619361341.28375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3812
failed 0 0
1619361344.923375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3980
failed 0 0
1619361347.204375
Process32NextW
process_name: skkfsfsdgf.exe
snapshot_handle: 0x00000128
process_identifier: 3892
failed 0 0
1619361348.345875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 4064
failed 0 0
1619361352.56475
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2632
failed 0 0
1619361355.90875
Process32NextW
process_name: skkfsfsdgf.exe
snapshot_handle: 0x00000124
process_identifier: 2120
failed 0 0
1619361357.971
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000000f4
process_identifier: 3396
failed 0 0
1619361364.970375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3576
failed 0 0
1619361370.392375
Process32NextW
process_name: skkfsfsdgf.exe
snapshot_handle: 0x00000138
process_identifier: 2976
failed 0 0
1619361371.534
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3728
failed 0 0
1619361374.90925
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1036
failed 0 0
1619361377.31525
Process32NextW
process_name: skkfsfsdgf.exe
snapshot_handle: 0x00000124
process_identifier: 3796
failed 0 0
1619361378.627125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3604
failed 0 0
1619361381.158502
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3176
failed 0 0
1619361382.814502
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000124
process_identifier: 3240
failed 0 0
1619361383.689625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1760
failed 0 0
1619361386.6585
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3076
failed 0 0
1619361389.9865
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000012c
process_identifier: 3668
failed 0 0
1619361392.048625
Process32NextW
process_name: skkfsfsdgf.exe
snapshot_handle: 0x000000f4
process_identifier: 3684
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619345034.67911
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2292 created a thread in remote process 368
Time & API Arguments Status Return Repeated
1619345034.67911
NtQueueApcThread
thread_handle: 0x00000104
process_identifier: 368
function_address: 0x001305c0
parameter: 0x00140000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619345034.67911
WriteProcessMemory
process_identifier: 368
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x00130000
success 1 0
1619345034.67911
WriteProcessMemory
process_identifier: 368
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\35c2371a2707534baa2cc4d47ab7bf53.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\35c2371a2707534baa2cc4d47ab7bf53.exe" websET ctAwkdXPCsAfwXkL = crEaTeobject("WScrIpT.shElL") cTAWkdxPCsaFwxKL.RUn """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x00140000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (18 个事件)
Process injection Process 2104 called NtSetContextThread to modify thread in remote process 1068
Process injection Process 3268 called NtSetContextThread to modify thread in remote process 3336
Process injection Process 3512 called NtSetContextThread to modify thread in remote process 3580
Process injection Process 3752 called NtSetContextThread to modify thread in remote process 3824
Process injection Process 4004 called NtSetContextThread to modify thread in remote process 4084
Process injection Process 3300 called NtSetContextThread to modify thread in remote process 3472
Process injection Process 3640 called NtSetContextThread to modify thread in remote process 2952
Process injection Process 2648 called NtSetContextThread to modify thread in remote process 4000
Process injection Process 3208 called NtSetContextThread to modify thread in remote process 3444
Time & API Arguments Status Return Repeated
1619361323.283875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1068
success 0 0
1619361331.90875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3336
success 0 0
1619361336.361875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3580
success 0 0
1619361342.67375
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3824
success 0 0
1619361348.689875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4084
success 0 0
1619361361.08
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3472
success 0 0
1619361372.19
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2952
success 0 0
1619361379.205125
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4000
success 0 0
1619361384.658625
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3444
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (18 个事件)
Process injection Process 2104 resumed a thread in remote process 1068
Process injection Process 3268 resumed a thread in remote process 3336
Process injection Process 3512 resumed a thread in remote process 3580
Process injection Process 3752 resumed a thread in remote process 3824
Process injection Process 4004 resumed a thread in remote process 4084
Process injection Process 3300 resumed a thread in remote process 3472
Process injection Process 3640 resumed a thread in remote process 2952
Process injection Process 2648 resumed a thread in remote process 4000
Process injection Process 3208 resumed a thread in remote process 3444
Time & API Arguments Status Return Repeated
1619361323.861875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1068
success 0 0
1619361332.50175
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3336
success 0 0
1619361336.861875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3580
success 0 0
1619361343.29875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3824
success 0 0
1619361349.048875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 4084
success 0 0
1619361361.955
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3472
success 0 0
1619361372.83
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2952
success 0 0
1619361379.784125
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 4000
success 0 0
1619361385.204625
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3444
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 78 个事件)
Time & API Arguments Status Return Repeated
1619345034.67911
CreateProcessInternalW
thread_identifier: 732
thread_handle: 0x00000104
process_identifier: 368
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619345034.67911
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619345034.67911
NtAllocateVirtualMemory
process_identifier: 368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1619345034.67911
WriteProcessMemory
process_identifier: 368
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x00130000
success 1 0
1619345034.67911
WriteProcessMemory
process_identifier: 368
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\35c2371a2707534baa2cc4d47ab7bf53.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\35c2371a2707534baa2cc4d47ab7bf53.exe" websET ctAwkdXPCsAfwXkL = crEaTeobject("WScrIpT.shElL") cTAWkdxPCsaFwxKL.RUn """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x00140000
success 1 0
1619361322.767502
CreateProcessInternalW
thread_identifier: 2196
thread_handle: 0x000000d0
process_identifier: 2104
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619361323.236875
CreateProcessInternalW
thread_identifier: 3076
thread_handle: 0x00000104
process_identifier: 1068
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361323.236875
NtUnmapViewOfSection
process_identifier: 1068
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361323.236875
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 1068
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619361323.283875
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619361323.283875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1068
success 0 0
1619361323.861875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1068
success 0 0
1619361324.048875
CreateProcessInternalW
thread_identifier: 3140
thread_handle: 0x00000108
process_identifier: 3136
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe" 2 1068 2489328
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619361330.7045
CreateProcessInternalW
thread_identifier: 3272
thread_handle: 0x00000194
process_identifier: 3268
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000198
inherit_handles: 0
success 1 0
1619361331.76775
CreateProcessInternalW
thread_identifier: 3340
thread_handle: 0x00000104
process_identifier: 3336
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361331.78375
NtUnmapViewOfSection
process_identifier: 3336
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361331.79875
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3336
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619361331.90875
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619361331.90875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3336
success 0 0
1619361332.50175
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3336
success 0 0
1619361332.84575
CreateProcessInternalW
thread_identifier: 3404
thread_handle: 0x00000108
process_identifier: 3400
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe" 2 3336 2497968
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619361335.111625
CreateProcessInternalW
thread_identifier: 3516
thread_handle: 0x00000110
process_identifier: 3512
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619361336.236875
CreateProcessInternalW
thread_identifier: 3584
thread_handle: 0x00000104
process_identifier: 3580
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361336.236875
NtUnmapViewOfSection
process_identifier: 3580
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361336.251875
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3580
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619361336.361875
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619361336.361875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3580
success 0 0
1619361336.861875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3580
success 0 0
1619361337.517875
CreateProcessInternalW
thread_identifier: 3652
thread_handle: 0x00000108
process_identifier: 3648
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe" 2 3580 2502328
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619361340.798625
CreateProcessInternalW
thread_identifier: 3756
thread_handle: 0x0000013c
process_identifier: 3752
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000140
inherit_handles: 0
success 1 0
1619361342.54875
CreateProcessInternalW
thread_identifier: 3828
thread_handle: 0x00000104
process_identifier: 3824
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361342.54875
NtUnmapViewOfSection
process_identifier: 3824
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361342.56475
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3824
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619361342.65875
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619361342.67375
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3824
success 0 0
1619361343.29875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3824
success 0 0
1619361344.25175
CreateProcessInternalW
thread_identifier: 3896
thread_handle: 0x00000108
process_identifier: 3892
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe" 2 3824 2508781
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619361347.720375
CreateProcessInternalW
thread_identifier: 4008
thread_handle: 0x0000012c
process_identifier: 4004
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619361348.626875
CreateProcessInternalW
thread_identifier: 4088
thread_handle: 0x00000104
process_identifier: 4084
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361348.626875
NtUnmapViewOfSection
process_identifier: 4084
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361348.642875
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 4084
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619361348.689875
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619361348.689875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502784
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4084
success 0 0
1619361349.048875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 4084
success 0 0
1619361350.048875
CreateProcessInternalW
thread_identifier: 2636
thread_handle: 0x00000108
process_identifier: 2120
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe" 2 4084 2514515
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619361356.31475
CreateProcessInternalW
thread_identifier: 3296
thread_handle: 0x00000128
process_identifier: 3300
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000012c
inherit_handles: 0
success 1 0
1619361359.362
CreateProcessInternalW
thread_identifier: 3452
thread_handle: 0x00000104
process_identifier: 3472
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\skkfsfsdgf.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619361359.362
NtUnmapViewOfSection
process_identifier: 3472
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619361359.393
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3472
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619361361.065
NtGetContextThread
thread_handle: 0x00000104
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
DrWeb BackDoor.RatNET.2
Cynet Malicious (score: 100)
FireEye Generic.mg.35c2371a2707534b
CAT-QuickHeal Trojan.GenericIH.S15413981
McAfee Fareit-FPQ!35C2371A2707
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056bdab1 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056bdab1 )
Cybereason malicious.7fbb75
Arcabit Trojan.Zusy.D4BCFC
TrendMicro TROJ_GEN.R057C0DH420
BitDefenderTheta Gen:NN.ZelphiF.34196.bHW@a8NK0Wei
Cyren W32/Delf.LI.gen!Eldorado
Symantec Trojan.Gen.2
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Gen:Variant.Zusy.310524
NANO-Antivirus Trojan.Win32.Quasar.hqgcel
ViRobot Trojan.Win32.Z.Zusy.1079808
MicroWorld-eScan Gen:Variant.Zusy.310524
Avast Win32:PWSX-gen [Trj]
Tencent Win32.Trojan.Kryptik.Llhi
Ad-Aware Gen:Variant.Zusy.310524
Comodo fls.noname@0
F-Secure Trojan.TR/Injector.kxyrz
Zillya Trojan.Injector.Win32.756877
Invincea heuristic
Sophos Troj/AutoG-IT
Ikarus Trojan.Inject
Jiangmin Trojan.Kryptik.bzt
eGambit Unsafe.AI_Score_99%
Avira TR/Injector.kxyrz
Antiy-AVL Trojan/Win32.Injector
Microsoft PWS:Win32/Fareit.SM!MTB
AegisLab Trojan.Win32.Kryptik.4!c
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Gen:Variant.Zusy.310524
AhnLab-V3 Suspicious/Win.Delphiless.X2091
VBA32 TScope.Trojan.Delf
ALYac Gen:Variant.Zusy.310524
MAX malware (ai score=88)
Malwarebytes Trojan.MalPack.DLF
ESET-NOD32 a variant of Win32/Injector.EMVU
TrendMicro-HouseCall TROJ_GEN.R057C0DH420
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x48c164 VirtualFree
0x48c168 VirtualAlloc
0x48c16c LocalFree
0x48c170 LocalAlloc
0x48c174 GetVersion
0x48c178 GetCurrentThreadId
0x48c184 VirtualQuery
0x48c188 WideCharToMultiByte
0x48c18c MultiByteToWideChar
0x48c190 lstrlenA
0x48c194 lstrcpynA
0x48c198 LoadLibraryExA
0x48c19c GetThreadLocale
0x48c1a0 GetStartupInfoA
0x48c1a4 GetProcAddress
0x48c1a8 GetModuleHandleA
0x48c1ac GetModuleFileNameA
0x48c1b0 GetLocaleInfoA
0x48c1b4 GetCommandLineA
0x48c1b8 FreeLibrary
0x48c1bc FindFirstFileA
0x48c1c0 FindClose
0x48c1c4 ExitProcess
0x48c1c8 WriteFile
0x48c1d0 RtlUnwind
0x48c1d4 RaiseException
0x48c1d8 GetStdHandle
Library user32.dll:
0x48c1e0 GetKeyboardType
0x48c1e4 LoadStringA
0x48c1e8 MessageBoxA
0x48c1ec CharNextA
Library advapi32.dll:
0x48c1f4 RegQueryValueExA
0x48c1f8 RegOpenKeyExA
0x48c1fc RegCloseKey
Library oleaut32.dll:
0x48c204 SysFreeString
0x48c208 SysReAllocStringLen
0x48c20c SysAllocStringLen
Library kernel32.dll:
0x48c214 TlsSetValue
0x48c218 TlsGetValue
0x48c21c LocalAlloc
0x48c220 GetModuleHandleA
Library advapi32.dll:
0x48c228 RegQueryValueExA
0x48c22c RegOpenKeyExA
0x48c230 RegCloseKey
Library kernel32.dll:
0x48c238 lstrcpyA
0x48c23c WriteFile
0x48c240 WaitForSingleObject
0x48c244 VirtualQuery
0x48c248 VirtualProtect
0x48c24c VirtualAlloc
0x48c250 Sleep
0x48c254 SizeofResource
0x48c258 SetThreadLocale
0x48c25c SetFilePointer
0x48c260 SetEvent
0x48c264 SetErrorMode
0x48c268 SetEndOfFile
0x48c26c ResetEvent
0x48c270 ReadFile
0x48c274 MultiByteToWideChar
0x48c278 MulDiv
0x48c27c LockResource
0x48c280 LoadResource
0x48c284 LoadLibraryA
0x48c290 GlobalUnlock
0x48c294 GlobalSize
0x48c298 GlobalReAlloc
0x48c29c GlobalHandle
0x48c2a0 GlobalLock
0x48c2a4 GlobalFree
0x48c2a8 GlobalFindAtomA
0x48c2ac GlobalDeleteAtom
0x48c2b0 GlobalAlloc
0x48c2b4 GlobalAddAtomA
0x48c2b8 GetVersionExA
0x48c2bc GetVersion
0x48c2c0 GetUserDefaultLCID
0x48c2c4 GetTickCount
0x48c2c8 GetThreadLocale
0x48c2d0 GetSystemInfo
0x48c2d4 GetStringTypeExA
0x48c2d8 GetStdHandle
0x48c2dc GetProcAddress
0x48c2e0 GetModuleHandleA
0x48c2e4 GetModuleFileNameA
0x48c2e8 GetLocaleInfoA
0x48c2ec GetLocalTime
0x48c2f0 GetLastError
0x48c2f4 GetFullPathNameA
0x48c2f8 GetDiskFreeSpaceA
0x48c2fc GetDateFormatA
0x48c300 GetCurrentThreadId
0x48c304 GetCurrentProcessId
0x48c308 GetComputerNameA
0x48c30c GetCPInfo
0x48c310 GetACP
0x48c314 FreeResource
0x48c318 InterlockedExchange
0x48c31c FreeLibrary
0x48c320 FormatMessageA
0x48c324 FindResourceA
0x48c32c EnumCalendarInfoA
0x48c338 CreateThread
0x48c33c CreateFileA
0x48c340 CreateEventA
0x48c344 CompareStringA
0x48c348 CloseHandle
Library version.dll:
0x48c350 VerQueryValueA
0x48c358 GetFileVersionInfoA
Library gdi32.dll:
0x48c360 UnrealizeObject
0x48c364 StretchBlt
0x48c368 SetWindowOrgEx
0x48c36c SetWinMetaFileBits
0x48c370 SetViewportOrgEx
0x48c374 SetTextColor
0x48c378 SetStretchBltMode
0x48c37c SetROP2
0x48c380 SetPixel
0x48c384 SetMapMode
0x48c388 SetEnhMetaFileBits
0x48c38c SetDIBColorTable
0x48c390 SetBrushOrgEx
0x48c394 SetBkMode
0x48c398 SetBkColor
0x48c39c SelectPalette
0x48c3a0 SelectObject
0x48c3a4 SelectClipRgn
0x48c3a8 SaveDC
0x48c3ac RestoreDC
0x48c3b0 Rectangle
0x48c3b4 RectVisible
0x48c3b8 RealizePalette
0x48c3bc Polyline
0x48c3c0 PlayEnhMetaFile
0x48c3c4 PathToRegion
0x48c3c8 PatBlt
0x48c3cc MoveToEx
0x48c3d0 MaskBlt
0x48c3d4 LineTo
0x48c3d8 LPtoDP
0x48c3dc IntersectClipRect
0x48c3e0 GetWindowOrgEx
0x48c3e4 GetWinMetaFileBits
0x48c3e8 GetTextMetricsA
0x48c3f4 GetStockObject
0x48c3f8 GetPixel
0x48c3fc GetPaletteEntries
0x48c400 GetObjectA
0x48c410 GetEnhMetaFileBits
0x48c414 GetDeviceCaps
0x48c418 GetDIBits
0x48c41c GetDIBColorTable
0x48c420 GetDCOrgEx
0x48c428 GetClipBox
0x48c42c GetBrushOrgEx
0x48c430 GetBitmapBits
0x48c434 ExtTextOutA
0x48c438 ExcludeClipRect
0x48c43c DeleteObject
0x48c440 DeleteEnhMetaFile
0x48c444 DeleteDC
0x48c448 CreateSolidBrush
0x48c44c CreatePenIndirect
0x48c450 CreatePalette
0x48c458 CreateFontIndirectA
0x48c45c CreateEnhMetaFileA
0x48c460 CreateDIBitmap
0x48c464 CreateDIBSection
0x48c468 CreateCompatibleDC
0x48c470 CreateBrushIndirect
0x48c474 CreateBitmap
0x48c478 CopyEnhMetaFileA
0x48c47c CloseEnhMetaFile
0x48c480 BitBlt
Library user32.dll:
0x48c488 CreateWindowExA
0x48c48c WindowFromPoint
0x48c490 WinHelpA
0x48c494 WaitMessage
0x48c498 UpdateWindow
0x48c49c UnregisterClassA
0x48c4a0 UnhookWindowsHookEx
0x48c4a4 TranslateMessage
0x48c4ac TrackPopupMenu
0x48c4b4 ShowWindow
0x48c4b8 ShowScrollBar
0x48c4bc ShowOwnedPopups
0x48c4c0 ShowCursor
0x48c4c4 SetWindowsHookExA
0x48c4c8 SetWindowTextA
0x48c4cc SetWindowPos
0x48c4d0 SetWindowPlacement
0x48c4d4 SetWindowLongA
0x48c4d8 SetTimer
0x48c4dc SetScrollRange
0x48c4e0 SetScrollPos
0x48c4e4 SetScrollInfo
0x48c4e8 SetRect
0x48c4ec SetPropA
0x48c4f0 SetParent
0x48c4f4 SetMenuItemInfoA
0x48c4f8 SetMenu
0x48c4fc SetForegroundWindow
0x48c500 SetFocus
0x48c504 SetCursor
0x48c508 SetClassLongA
0x48c50c SetCapture
0x48c510 SetActiveWindow
0x48c514 SendMessageA
0x48c518 ScrollWindow
0x48c51c ScreenToClient
0x48c520 RemovePropA
0x48c524 RemoveMenu
0x48c528 ReleaseDC
0x48c52c ReleaseCapture
0x48c538 RegisterClassA
0x48c53c RedrawWindow
0x48c540 PtInRect
0x48c544 PostQuitMessage
0x48c548 PostMessageA
0x48c54c PeekMessageA
0x48c550 OffsetRect
0x48c554 OemToCharA
0x48c558 MessageBoxA
0x48c55c MessageBeep
0x48c560 MapWindowPoints
0x48c564 MapVirtualKeyA
0x48c568 LoadStringA
0x48c56c LoadKeyboardLayoutA
0x48c570 LoadIconA
0x48c574 LoadCursorA
0x48c578 LoadBitmapA
0x48c57c KillTimer
0x48c580 IsZoomed
0x48c584 IsWindowVisible
0x48c588 IsWindowEnabled
0x48c58c IsWindow
0x48c590 IsRectEmpty
0x48c594 IsIconic
0x48c598 IsDialogMessageA
0x48c59c IsChild
0x48c5a0 InvalidateRect
0x48c5a4 IntersectRect
0x48c5a8 InsertMenuItemA
0x48c5ac InsertMenuA
0x48c5b0 InflateRect
0x48c5b8 GetWindowTextA
0x48c5bc GetWindowRect
0x48c5c0 GetWindowPlacement
0x48c5c4 GetWindowLongA
0x48c5c8 GetWindowDC
0x48c5cc GetTopWindow
0x48c5d0 GetSystemMetrics
0x48c5d4 GetSystemMenu
0x48c5d8 GetSysColorBrush
0x48c5dc GetSysColor
0x48c5e0 GetSubMenu
0x48c5e4 GetScrollRange
0x48c5e8 GetScrollPos
0x48c5ec GetScrollInfo
0x48c5f0 GetPropA
0x48c5f4 GetParent
0x48c5f8 GetWindow
0x48c5fc GetMessageTime
0x48c600 GetMenuStringA
0x48c604 GetMenuState
0x48c608 GetMenuItemInfoA
0x48c60c GetMenuItemID
0x48c610 GetMenuItemCount
0x48c614 GetMenu
0x48c618 GetLastActivePopup
0x48c61c GetKeyboardState
0x48c624 GetKeyboardLayout
0x48c628 GetKeyState
0x48c62c GetKeyNameTextA
0x48c630 GetIconInfo
0x48c634 GetForegroundWindow
0x48c638 GetFocus
0x48c63c GetDlgItem
0x48c640 GetDesktopWindow
0x48c644 GetDCEx
0x48c648 GetDC
0x48c64c GetCursorPos
0x48c650 GetCursor
0x48c654 GetClipboardData
0x48c658 GetClientRect
0x48c65c GetClassNameA
0x48c660 GetClassInfoA
0x48c664 GetCapture
0x48c668 GetActiveWindow
0x48c66c FrameRect
0x48c670 FindWindowA
0x48c674 FillRect
0x48c678 EqualRect
0x48c67c EnumWindows
0x48c680 EnumThreadWindows
0x48c684 EndPaint
0x48c688 EnableWindow
0x48c68c EnableScrollBar
0x48c690 EnableMenuItem
0x48c694 DrawTextA
0x48c698 DrawMenuBar
0x48c69c DrawIconEx
0x48c6a0 DrawIcon
0x48c6a4 DrawFrameControl
0x48c6a8 DrawFocusRect
0x48c6ac DrawEdge
0x48c6b0 DispatchMessageA
0x48c6b4 DestroyWindow
0x48c6b8 DestroyMenu
0x48c6bc DestroyIcon
0x48c6c0 DestroyCursor
0x48c6c4 DeleteMenu
0x48c6c8 DefWindowProcA
0x48c6cc DefMDIChildProcA
0x48c6d0 DefFrameProcA
0x48c6d4 CreatePopupMenu
0x48c6d8 CreateMenu
0x48c6dc CreateIcon
0x48c6e0 ClientToScreen
0x48c6e4 CheckMenuItem
0x48c6e8 CallWindowProcA
0x48c6ec CallNextHookEx
0x48c6f0 BeginPaint
0x48c6f4 CharNextA
0x48c6f8 CharLowerBuffA
0x48c6fc CharLowerA
0x48c700 CharUpperBuffA
0x48c704 CharToOemA
0x48c708 AdjustWindowRectEx
Library kernel32.dll:
0x48c714 Sleep
Library oleaut32.dll:
0x48c71c SafeArrayPtrOfIndex
0x48c720 SafeArrayPutElement
0x48c724 SafeArrayGetElement
0x48c72c SafeArrayAccessData
0x48c730 SafeArrayGetUBound
0x48c734 SafeArrayGetLBound
0x48c738 SafeArrayCreate
0x48c73c VariantChangeType
0x48c740 VariantCopyInd
0x48c744 VariantCopy
0x48c748 VariantClear
0x48c74c VariantInit
Library ole32.dll:
0x48c758 IsAccelerator
0x48c75c OleDraw
0x48c764 CoTaskMemFree
0x48c768 ProgIDFromCLSID
0x48c76c StringFromCLSID
0x48c770 CoCreateInstance
0x48c774 CoGetClassObject
0x48c778 CoUninitialize
0x48c77c CoInitialize
0x48c780 IsEqualGUID
Library oleaut32.dll:
0x48c788 GetErrorInfo
0x48c78c GetActiveObject
0x48c790 SysFreeString
Library comctl32.dll:
0x48c7a0 ImageList_Write
0x48c7a4 ImageList_Read
0x48c7b4 ImageList_DragMove
0x48c7b8 ImageList_DragLeave
0x48c7bc ImageList_DragEnter
0x48c7c0 ImageList_EndDrag
0x48c7c4 ImageList_BeginDrag
0x48c7c8 ImageList_Remove
0x48c7cc ImageList_DrawEx
0x48c7d0 ImageList_Replace
0x48c7d4 ImageList_Draw
0x48c7e4 ImageList_Add
0x48c7ec ImageList_Destroy
0x48c7f0 ImageList_Create
Library comdlg32.dll:
0x48c7f8 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.