17.4
0-day
61 个模型检测该样本为恶意!
重新分析
更多

7ff1c4b4e17f962192831e437bed7d017700a4a286d91ef73066b5725e53ba53

6bc17c2d3bc9b178d70c19e9ac739260.exe

分析耗时

120s

最近分析

文件大小

1.5MB
静态报毒 动态报毒 100% ADCD@8RNP34 AI SCORE=87 AIDETECTVM AMPM ATTRIBUTE AZ8D6EXO22F AZAT CCW5BSGI+5A CONFIDENCE DARKEYE DXWDRC EN0@AU7E75LG ESWS FYNLOSKI GENASA GENCIRC GENERICR GENETIC HIGH CONFIDENCE HIGHCONFIDENCE KCLOUD MALICIOUS PE MALWARE1 OCCAMY QVM03 R + MAL R066C0DIA20 R335725 RAZY SCORE SEZF SIGGEN STATIC AI SUSGEN TOOL TRMC UNSAFE XJHFH ZAPCHAST ZEVBAF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/VBInject.594c7757 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Agent-AZAT [Trj] 20201210 21.1.5827.0
Kingsoft Win32.Troj.Generic_a.a.(kcloud) 20201211 2017.9.26.565
McAfee GenericR-EPS!6BC17C2D3BC9 20201211 6.0.6.653
Tencent Malware.Win32.Gencirc.10b7d08d 20201211 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Command line console output was observed (4 个事件)
Time & API Arguments Status Return Repeated
1619596824.878876
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp>
console_handle: 0x00000007
success 1 0
1619596824.878876
WriteConsoleW
buffer: REG
console_handle: 0x00000007
success 1 0
1619596824.878876
WriteConsoleW
buffer: ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe" /f
console_handle: 0x00000007
success 1 0
1619596825.378876
WriteConsoleW
buffer: 操作成功完成。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619596840.128751
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619596821.503374
__exception__
stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

registers.esp: 1636412
registers.edi: 1636688
registers.eax: 1636412
registers.ebp: 1636492
registers.edx: 0
registers.ebx: 5076624
registers.esi: 1636688
registers.ecx: 2
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2559489062&cup2hreq=464cee565ac74491227c5b355484c6c48c17547264b6f2309196725fbdf590a5
Connects to a Dynamic DNS Domain (1 个事件)
domain mrsnickers03.no-ip.biz
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:2559489062&cup2hreq=464cee565ac74491227c5b355484c6c48c17547264b6f2309196725fbdf590a5
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2559489062&cup2hreq=464cee565ac74491227c5b355484c6c48c17547264b6f2309196725fbdf590a5
Allocates read-write-execute memory (usually to unpack itself) (50 out of 72 个事件)
Time & API Arguments Status Return Repeated
1619596816.488751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02500000
success 0 0
1619596816.488751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02510000
success 0 0
1619596816.488751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02520000
success 0 0
1619596816.488751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02530000
success 0 0
1619596816.488751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02540000
success 0 0
1619596816.503751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02670000
success 0 0
1619596816.503751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02680000
success 0 0
1619596816.503751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02690000
success 0 0
1619596816.519751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026a0000
success 0 0
1619596816.519751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026b0000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026c0000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026d0000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026e0000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a00000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a10000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a20000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a30000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a40000
success 0 0
1619596816.769751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a50000
success 0 0
1619596818.316751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a60000
success 0 0
1619596818.332751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a70000
success 0 0
1619596818.332751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a80000
success 0 0
1619596818.332751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a90000
success 0 0
1619596818.347751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02aa0000
success 0 0
1619596818.347751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ab0000
success 0 0
1619596818.347751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ac0000
success 0 0
1619596818.347751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ad0000
success 0 0
1619596818.347751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02ae0000
success 0 0
1619596818.347751
NtAllocateVirtualMemory
process_identifier: 364
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02af0000
success 0 0
1619596818.441374
NtProtectVirtualMemory
process_identifier: 3064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619596819.394374
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619596887.879126
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004190000
success 0 0
1619596834.833001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026e0000
success 0 0
1619596834.833001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f0000
success 0 0
1619596834.833001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02700000
success 0 0
1619596834.833001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02720000
success 0 0
1619596834.833001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02730000
success 0 0
1619596834.833001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02740000
success 0 0
1619596834.833001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02750000
success 0 0
1619596834.833001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02760000
success 0 0
1619596834.848001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02770000
success 0 0
1619596834.864001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c0000
success 0 0
1619596834.989001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x029d0000
success 0 0
1619596835.004001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x029e0000
success 0 0
1619596835.004001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x029f0000
success 0 0
1619596835.020001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a00000
success 0 0
1619596835.020001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a10000
success 0 0
1619596835.020001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a20000
success 0 0
1619596835.020001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a30000
success 0 0
1619596835.020001
NtAllocateVirtualMemory
process_identifier: 2448
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02a40000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (1 个事件)
name RT_VERSION offset 0x001799d0 filetype data sublanguage SUBLANG_ARABIC_MOROCCO size 0x00000380
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Creates a suspicious process (1 个事件)
cmdline C:\Windows\System32\svchost.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619596824.503374
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RSFKR.bat
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\RSFKR.bat
show_type: 0
success 1 0
1619596832.644374
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
show_type: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619596814.472751
NtProtectVirtualMemory
process_identifier: 364
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x024d0000
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (50 out of 60 个事件)
Time & API Arguments Status Return Repeated
1619596839.066374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596840.597374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596842.160374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596843.675374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596845.347374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596846.863374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596848.425374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596850.253374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596851.769374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596853.285374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596854.800374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596856.332374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596857.847374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596859.363374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596860.894374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596862.410374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596863.941374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596865.457374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596867.003374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596868.535374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596870.050374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596871.566374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596873.082374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596874.769374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596876.300374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596877.925374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596879.488374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596881.019374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596882.550374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596884.285374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596885.847374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596887.425374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596888.972374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596890.503374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596892.050374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596893.582374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596895.175374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596896.691374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596898.285374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596899.832374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596901.347374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596902.878374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596904.425374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596905.957374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596907.488374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596909.113374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596910.972374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596912.816374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596914.472374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619596916.035374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Created a process named as a common system process (2 个事件)
Time & API Arguments Status Return Repeated
1619596817.128751
CreateProcessInternalW
thread_identifier: 1704
thread_handle: 0x000000c0
process_identifier: 3064
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
1619596835.239001
CreateProcessInternalW
thread_identifier: 2944
thread_handle: 0x000000c0
process_identifier: 2968
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\svchost.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000c8
inherit_handles: 0
success 1 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe" /f
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 78aac5cf2801892bb1d7bf0b50b4967009c577e6
buffer Buffer with sha1: 4598324d029030a6552b779d502e63a4f7687cb7
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 203.208.41.98
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619596817.128751
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619596818.707751
NtAllocateVirtualMemory
process_identifier: 732
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619596835.239001
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619596836.270001
NtAllocateVirtualMemory
process_identifier: 2548
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000cc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619596836.879001
NtAllocateVirtualMemory
process_identifier: 1712
region_size: 749568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000d4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\java reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\IDM\ichader.exe
Detects Avast Antivirus through the presence of a library (4 个事件)
Time & API Arguments Status Return Repeated
1619596816.519751
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619596816.519751
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619596834.848001
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
1619596834.848001
LdrGetDllHandle
module_name: snxhk.dll
stack_pivoted: 0
module_address: 0x00000000
failed 3221225781 0
Creates known Fynloski/DarkComet files, registry keys and/or mutexes (3 个事件)
mutex DC_MUTEX-6ZFK11A
regkey HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey HKEY_CURRENT_USER\Software\DC2_USERS
Potential code injection by writing to the memory of another process (13 个事件)
Time & API Arguments Status Return Repeated
1619596817.128751
WriteProcessMemory
process_identifier: 3064
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619596817.144751
WriteProcessMemory
process_identifier: 3064
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619596817.144751
WriteProcessMemory
process_identifier: 3064
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619596817.160751
WriteProcessMemory
process_identifier: 3064
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619596818.707751
WriteProcessMemory
process_identifier: 732
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619596818.707751
WriteProcessMemory
process_identifier: 732
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
1619596835.239001
WriteProcessMemory
process_identifier: 2968
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619596835.239001
WriteProcessMemory
process_identifier: 2968
buffer: ¤t P(€Ȁ€¤t P1uP€2ux€3u €¤t PhL¡0°¤t P€¢è°¤t P¸l¥(°¤t Pà€¤t Pø˜¦0°¤t P €¤t P 8̦(°¸g( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÐd( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¨c( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿxc 01u è2u(3uPa(4VS_VERSION_INFO½ïþDVarFileInfo$Translation °ˆStringFileInfod040904B0D$CompanyNameArachnid Software4ProductNameWatchIt!, FileVersion1.000 ProductVersion1.004InternalNameWatchIt!DOriginalFilenameWatchIt!.exeT©0©a©L©n©|©Œ©œ©ª©¸©h€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000c8
base_address: 0x0040a000
success 1 0
1619596835.239001
WriteProcessMemory
process_identifier: 2968
buffer: ¿@‰@ÿàŠ@t/¡ƒÇ»°@ÿã¾@‰@ÿæÐ,°x\ôàÈ÷÷÷Dt9ôô`ô¢]Ct9ôq²Bœôe³Bt9ô\Cœôœôt9ôìr-€fò H. Œ£uðò(ôÕq w}¯¼7þÿÿÿŒã›wòà›w\ôdôÿÿÿÿÐ,Àóìó³ý~bÜó BÂu0³ý~ô`-€fò :/*8ôRç›wheòxfòô#à›wdôdôxfò,ô¨æ›w-€fò<ôæ›w€fòþÿÿÿô¢íËvdô;0Êv²øÍV€öŒ ¬ô„ŠCEdôœô€öt9ôå±Bt9ô€öt9ôÓYC½Œ Œ ö¼‹CŒ
process_handle: 0x000000c8
base_address: 0x0040b000
success 1 0
1619596835.254001
WriteProcessMemory
process_identifier: 2968
buffer: @
process_handle: 0x000000c8
base_address: 0x7efde008
success 1 0
1619596836.270001
WriteProcessMemory
process_identifier: 2548
buffer: ô϶O0€Ѐ€P€ô϶O1uX€2u€€3u¨€ô϶Opœ¡0°ô϶O˜Ð¢è°ô϶OÀ¼¥(°ô϶Oè€ô϶Oè¦0°ô϶O(€ô϶O @§À°€h€€à¨&PUT˜a( @ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿü<ÿÃüø?üûÿüûÿüûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿýÿûÿÁÿûü=ÿûÃÁÿø<?ÿûÃÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿÀøøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÈb( @€€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿÿpÿÿÿwpÿÿÿÿÿÿwwpÿÿÿÿÿÿÿÿwpÿÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿˆˆÿÿÿÿˆˆÿÿˆˆîîîîîîîÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÁÿÿüÿ€øøøøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿøÿø?ÿøÿÿø?ÿÿûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ°e( À€€€€€€€€€€€€ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿðwÿÿðwpÿÿÿðpÿÿÿðÿÿÿðÿÿ€€àîààÿÿÿÿÿøÀÀÀÀÀÀÀÀÇÿÿÿÿÿÿÿØf 01u è2u(3ugÀ4VS_VERSION_INFO½ïþDVarFileInfo$Translation ° StringFileInfoü040904B00ProductNameCRITIC, FileVersion1.000 ProductVersion1.00$InternalNamea4 OriginalFilenamea.exeÈhjava*1*|OFF|*appdata*IDM\*ichader.exe*h©D©u©`©‚©© ©°©¾©Ì©k€KERNEL32.DLLMSVBVM60.DLLLoadLibraryAGetProcAddressVirtualProtectVirtualAllocVirtualFreeExitProcess
process_handle: 0x000000cc
base_address: 0x0040a000
success 1 0
1619596836.270001
WriteProcessMemory
process_identifier: 2548
buffer: @
process_handle: 0x000000cc
base_address: 0x7efde008
success 1 0
1619596836.942001
WriteProcessMemory
process_identifier: 1712
buffer: @
process_handle: 0x000000d4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619596817.128751
WriteProcessMemory
process_identifier: 3064
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
1619596835.239001
WriteProcessMemory
process_identifier: 2968
buffer: MZÿÿ¸@@PEL¤t Pà 0`°p @Àý0ô¨Ô ôtext``€àdata0p&@à.rsrc  (@À.MUX°2Ð,ô,lòàà
process_handle: 0x000000c8
base_address: 0x00400000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619596840.519751
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x004818f8
module_address: 0x00400000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 66027 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-09-05 08:15:40

Imports

Library MSVBVM60.DLL:
0x401000 MethCallEngine
0x401004
0x401008 EVENT_SINK_AddRef
0x40100c
0x401010
0x401014 DllFunctionCall
0x401018 EVENT_SINK_Release
0x401020 __vbaExceptHandler
0x401024
0x401028 ProcCallEngine
0x40102c

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49197 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49198 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49193 203.208.41.34 update.googleapis.com 443
192.168.56.101 49196 203.208.41.97 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=880506-926735
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=20029-33909
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=868323-880505
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=641847-700096
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=48082-63942
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=457446-519385
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=765276-868322
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=75631-101061
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=352465203a0c8e66&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619567777&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-7079
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.