13.6
0-day
44 个模型检测该样本为恶意!
重新分析
更多

a500f27709fb009950d25abae11f25c6e8e0205d15931530467ecfb342a661ad

75cef2dae16a983c118e6d11825829b5.exe

分析耗时

76s

最近分析

文件大小

1.1MB
静态报毒 动态报毒 AGEN AGENTTESLA AI SCORE=86 AIDETECTVM ARTEMIS AUTOINJ AUTOIT CLASSIC CONFIDENCE ELDORADO GENERICKD HIGH CONFIDENCE HNLBLS MALWARE1 MALWARE@#1ATX56J6XAV02 PREDATOR REMCOS S1255 SCORE SIGGEN9 SUSGEN TROJANAITINJECT UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!75CEF2DAE16A 20201211 6.0.6.653
Alibaba Backdoor:Win32/Remcos.e9404f54 20190527 0.3.0.5
Avast Script:SNH-gen [Trj] 20201210 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_70% (W) 20190702 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619596028.934176
IsDebuggerPresent
failed 0 0
1619614945.91625
IsDebuggerPresent
failed 0 0
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619596031.043176
__exception__
stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x77d5e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x763514dd
75cef2dae16a983c118e6d11825829b5+0x21cb7 @ 0x1231cb7
75cef2dae16a983c118e6d11825829b5+0xcb4e @ 0x121cb4e
75cef2dae16a983c118e6d11825829b5+0x650d3 @ 0x12750d3
75cef2dae16a983c118e6d11825829b5+0x10cf3 @ 0x1220cf3
75cef2dae16a983c118e6d11825829b5+0x13f4b @ 0x1223f4b
75cef2dae16a983c118e6d11825829b5+0xef8c @ 0x121ef8c
75cef2dae16a983c118e6d11825829b5+0xeb87 @ 0x121eb87
75cef2dae16a983c118e6d11825829b5+0x134eb @ 0x12234eb
75cef2dae16a983c118e6d11825829b5+0x79cc5 @ 0x1289cc5
75cef2dae16a983c118e6d11825829b5+0x143ee @ 0x12243ee
75cef2dae16a983c118e6d11825829b5+0x14659 @ 0x1224659
75cef2dae16a983c118e6d11825829b5+0x7b801 @ 0x128b801
75cef2dae16a983c118e6d11825829b5+0xff30 @ 0x121ff30
75cef2dae16a983c118e6d11825829b5+0x143ee @ 0x12243ee
75cef2dae16a983c118e6d11825829b5+0x14659 @ 0x1224659
75cef2dae16a983c118e6d11825829b5+0x7b801 @ 0x128b801
75cef2dae16a983c118e6d11825829b5+0xff30 @ 0x121ff30
75cef2dae16a983c118e6d11825829b5+0xf4ad @ 0x121f4ad
75cef2dae16a983c118e6d11825829b5+0xec59 @ 0x121ec59
75cef2dae16a983c118e6d11825829b5+0x134eb @ 0x12234eb
75cef2dae16a983c118e6d11825829b5+0xecc5 @ 0x121ecc5
75cef2dae16a983c118e6d11825829b5+0x134eb @ 0x12234eb
75cef2dae16a983c118e6d11825829b5+0xecc5 @ 0x121ecc5
75cef2dae16a983c118e6d11825829b5+0x134eb @ 0x12234eb
75cef2dae16a983c118e6d11825829b5+0xecc5 @ 0x121ecc5
75cef2dae16a983c118e6d11825829b5+0x3e2a @ 0x1213e2a
75cef2dae16a983c118e6d11825829b5+0x3aa3 @ 0x1213aa3
75cef2dae16a983c118e6d11825829b5+0x25efa @ 0x1235efa
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 6088528
registers.edi: 9301872
registers.eax: 11
registers.ebp: 6088580
registers.edx: 9301880
registers.ebx: 9301880
registers.esi: 895133955
registers.ecx: 8978432
exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x77d5e39e
success 0 0
1619614948.66625
__exception__
stacktrace: 
RtlFreeHeap+0x7e RtlAllocateHeap-0x23 ntdll+0x2e003 @ 0x77d5e003
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x763514dd
remcos23w+0x21cb7 @ 0x3c1cb7
remcos23w+0xcb4e @ 0x3acb4e
remcos23w+0x650d3 @ 0x4050d3
remcos23w+0x10cf3 @ 0x3b0cf3
remcos23w+0x13f4b @ 0x3b3f4b
remcos23w+0xef8c @ 0x3aef8c
remcos23w+0xeb87 @ 0x3aeb87
remcos23w+0x134eb @ 0x3b34eb
remcos23w+0x79cc5 @ 0x419cc5
remcos23w+0x143ee @ 0x3b43ee
remcos23w+0x14659 @ 0x3b4659
remcos23w+0x7b801 @ 0x41b801
remcos23w+0xff30 @ 0x3aff30
remcos23w+0x143ee @ 0x3b43ee
remcos23w+0x14659 @ 0x3b4659
remcos23w+0x7b801 @ 0x41b801
remcos23w+0xff30 @ 0x3aff30
remcos23w+0xf4ad @ 0x3af4ad
remcos23w+0xec59 @ 0x3aec59
remcos23w+0x134eb @ 0x3b34eb
remcos23w+0xecc5 @ 0x3aecc5
remcos23w+0x134eb @ 0x3b34eb
remcos23w+0xecc5 @ 0x3aecc5
remcos23w+0x134eb @ 0x3b34eb
remcos23w+0xecc5 @ 0x3aecc5
remcos23w+0x3e2a @ 0x3a3e2a
remcos23w+0x3aa3 @ 0x3a3aa3
remcos23w+0x25efa @ 0x3c5efa
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 10348464
registers.edi: 12324200
registers.eax: 11
registers.ebp: 10348516
registers.edx: 12324208
registers.ebx: 12324208
registers.esi: 2081503318
registers.ecx: 11862016
exception.instruction_r: 8b 46 04 89 45 f4 c6 47 07 80 c6 47 06 00 8b 5e
exception.symbol: RtlInitUnicodeString+0x196 RtlMultiByteToUnicodeN-0x1a7 ntdll+0x2e39e
exception.instruction: mov eax, dword ptr [esi + 4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 189342
exception.address: 0x77d5e39e
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1619596030.184176
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006b0000
success 0 0
1619596030.387176
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01150000
success 0 0
1619596030.574176
NtAllocateVirtualMemory
process_identifier: 2900
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01190000
success 0 0
1619614947.57225
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002c0000
success 0 0
1619614947.72825
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00b00000
success 0 0
1619614948.10325
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x026f0000
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description remcos23w.exe tried to sleep 206 seconds, actually delayed analysis time by 206 seconds
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
cmdline C:\Windows\SysWOW64\svchost.exe
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619614939.9935
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619614943.852875
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.596844249108772 section {'size_of_data': '0x00057400', 'virtual_address': '0x000c4000', 'entropy': 7.596844249108772, 'name': '.rsrc', 'virtual_size': '0x0005726c'} description A section with a high entropy has been found
entropy 0.3029513888888889 description Overall entropy of this PE file is high
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 8b1b4235e97df4f283efc8d4889629d1bc168f1a
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (50 out of 302 个事件)
Time & API Arguments Status Return Repeated
1619596030.574176
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000128
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619596030.574176
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000128
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619614948.10325
NtAllocateVirtualMemory
process_identifier: 1948
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000012c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614948.10325
NtAllocateVirtualMemory
process_identifier: 1948
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000012c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619614949.368375
NtAllocateVirtualMemory
process_identifier: 1936
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000150
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619614953.165375
NtAllocateVirtualMemory
process_identifier: 284
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001d4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619614956.837375
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619614960.649375
NtAllocateVirtualMemory
process_identifier: 2136
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001f4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619614963.712375
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000200
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614963.868375
NtAllocateVirtualMemory
process_identifier: 2840
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000204
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.040375
NtAllocateVirtualMemory
process_identifier: 2948
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000020c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.180375
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000218
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.337375
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000021c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.493375
NtAllocateVirtualMemory
process_identifier: 3100
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000224
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.587375
NtAllocateVirtualMemory
process_identifier: 3136
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000022c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.696375
NtAllocateVirtualMemory
process_identifier: 3172
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000234
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.790375
NtAllocateVirtualMemory
process_identifier: 3208
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000023c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.899375
NtAllocateVirtualMemory
process_identifier: 3244
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001dc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.024375
NtAllocateVirtualMemory
process_identifier: 3280
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000248
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.134375
NtAllocateVirtualMemory
process_identifier: 3316
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000024c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.227375
NtAllocateVirtualMemory
process_identifier: 3352
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000254
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.352375
NtAllocateVirtualMemory
process_identifier: 3388
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000025c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.446375
NtAllocateVirtualMemory
process_identifier: 3424
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000264
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.555375
NtAllocateVirtualMemory
process_identifier: 3460
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000026c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.665375
NtAllocateVirtualMemory
process_identifier: 3496
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000274
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.759375
NtAllocateVirtualMemory
process_identifier: 3532
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000027c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.852375
NtAllocateVirtualMemory
process_identifier: 3568
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000294
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.946375
NtAllocateVirtualMemory
process_identifier: 3604
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000298
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.071375
NtAllocateVirtualMemory
process_identifier: 3640
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.180375
NtAllocateVirtualMemory
process_identifier: 3676
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.274375
NtAllocateVirtualMemory
process_identifier: 3712
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002b0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.368375
NtAllocateVirtualMemory
process_identifier: 3748
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.462375
NtAllocateVirtualMemory
process_identifier: 3784
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.555375
NtAllocateVirtualMemory
process_identifier: 3820
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002c8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.665375
NtAllocateVirtualMemory
process_identifier: 3856
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002d0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.790375
NtAllocateVirtualMemory
process_identifier: 3892
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002d8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.868375
NtAllocateVirtualMemory
process_identifier: 3928
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.024375
NtAllocateVirtualMemory
process_identifier: 3964
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.118375
NtAllocateVirtualMemory
process_identifier: 4000
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002f0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.212375
NtAllocateVirtualMemory
process_identifier: 4036
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002f8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.305375
NtAllocateVirtualMemory
process_identifier: 4072
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000300
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.399375
NtAllocateVirtualMemory
process_identifier: 3096
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000308
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.509375
NtAllocateVirtualMemory
process_identifier: 3168
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000310
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.602375
NtAllocateVirtualMemory
process_identifier: 3220
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000318
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.712375
NtAllocateVirtualMemory
process_identifier: 3300
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000320
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.805375
NtAllocateVirtualMemory
process_identifier: 3344
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000328
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614967.977375
NtAllocateVirtualMemory
process_identifier: 3400
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000330
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614968.055375
NtAllocateVirtualMemory
process_identifier: 3632
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000338
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614968.196375
NtAllocateVirtualMemory
process_identifier: 3708
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000284
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614968.337375
NtAllocateVirtualMemory
process_identifier: 3768
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000344
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Installs itself for autorun at Windows startup (18 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos23s reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
Manipulates memory of a non-child process indicative of process injection (50 out of 588 个事件)
Process injection Process 1948 manipulating memory of non-child process 2856
Process injection Process 1948 manipulating memory of non-child process 2840
Process injection Process 1948 manipulating memory of non-child process 2948
Process injection Process 1948 manipulating memory of non-child process 2968
Process injection Process 1948 manipulating memory of non-child process 2424
Process injection Process 1948 manipulating memory of non-child process 3100
Process injection Process 1948 manipulating memory of non-child process 3136
Process injection Process 1948 manipulating memory of non-child process 3172
Process injection Process 1948 manipulating memory of non-child process 3208
Process injection Process 1948 manipulating memory of non-child process 3244
Process injection Process 1948 manipulating memory of non-child process 3280
Process injection Process 1948 manipulating memory of non-child process 3316
Process injection Process 1948 manipulating memory of non-child process 3352
Process injection Process 1948 manipulating memory of non-child process 3388
Process injection Process 1948 manipulating memory of non-child process 3424
Process injection Process 1948 manipulating memory of non-child process 3460
Process injection Process 1948 manipulating memory of non-child process 3496
Process injection Process 1948 manipulating memory of non-child process 3532
Process injection Process 1948 manipulating memory of non-child process 3568
Process injection Process 1948 manipulating memory of non-child process 3604
Process injection Process 1948 manipulating memory of non-child process 3640
Process injection Process 1948 manipulating memory of non-child process 3676
Process injection Process 1948 manipulating memory of non-child process 3712
Process injection Process 1948 manipulating memory of non-child process 3748
Process injection Process 1948 manipulating memory of non-child process 3784
Time & API Arguments Status Return Repeated
1619614963.712375
NtAllocateVirtualMemory
process_identifier: 2856
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000200
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614963.868375
NtAllocateVirtualMemory
process_identifier: 2840
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000204
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.040375
NtAllocateVirtualMemory
process_identifier: 2948
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000020c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.180375
NtAllocateVirtualMemory
process_identifier: 2968
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000218
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.337375
NtAllocateVirtualMemory
process_identifier: 2424
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000021c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.493375
NtAllocateVirtualMemory
process_identifier: 3100
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000224
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.587375
NtAllocateVirtualMemory
process_identifier: 3136
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000022c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.696375
NtAllocateVirtualMemory
process_identifier: 3172
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000234
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.790375
NtAllocateVirtualMemory
process_identifier: 3208
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000023c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614964.899375
NtAllocateVirtualMemory
process_identifier: 3244
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001dc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.024375
NtAllocateVirtualMemory
process_identifier: 3280
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000248
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.134375
NtAllocateVirtualMemory
process_identifier: 3316
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000024c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.227375
NtAllocateVirtualMemory
process_identifier: 3352
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000254
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.352375
NtAllocateVirtualMemory
process_identifier: 3388
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000025c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.446375
NtAllocateVirtualMemory
process_identifier: 3424
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000264
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.555375
NtAllocateVirtualMemory
process_identifier: 3460
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000026c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.665375
NtAllocateVirtualMemory
process_identifier: 3496
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000274
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.759375
NtAllocateVirtualMemory
process_identifier: 3532
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000027c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.852375
NtAllocateVirtualMemory
process_identifier: 3568
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000294
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614965.946375
NtAllocateVirtualMemory
process_identifier: 3604
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000298
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.071375
NtAllocateVirtualMemory
process_identifier: 3640
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.180375
NtAllocateVirtualMemory
process_identifier: 3676
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.274375
NtAllocateVirtualMemory
process_identifier: 3712
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002b0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.368375
NtAllocateVirtualMemory
process_identifier: 3748
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614966.462375
NtAllocateVirtualMemory
process_identifier: 3784
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000002c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (10 个事件)
Time & API Arguments Status Return Repeated
1619596030.590176
WriteProcessMemory
process_identifier: 1068
buffer:
process_handle: 0x00000128
base_address: 0xfffde008
success 1 0
1619614948.11925
WriteProcessMemory
process_identifier: 1948
buffer:
process_handle: 0x0000012c
base_address: 0xfffde008
success 1 0
1619614949.368375
WriteProcessMemory
process_identifier: 1936
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x00000150
base_address: 0x00400000
success 1 0
1619614949.477375
WriteProcessMemory
process_identifier: 1936
buffer: @
process_handle: 0x00000150
base_address: 0x7efde008
success 1 0
1619614953.165375
WriteProcessMemory
process_identifier: 284
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x000001d4
base_address: 0x00400000
success 1 0
1619614953.274375
WriteProcessMemory
process_identifier: 284
buffer: @
process_handle: 0x000001d4
base_address: 0x7efde008
success 1 0
1619614956.837375
WriteProcessMemory
process_identifier: 2104
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x000001e8
base_address: 0x00400000
success 1 0
1619614956.915375
WriteProcessMemory
process_identifier: 2104
buffer: @
process_handle: 0x000001e8
base_address: 0x7efde008
success 1 0
1619614960.649375
WriteProcessMemory
process_identifier: 2136
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x000001f4
base_address: 0x00400000
success 1 0
1619614960.837375
WriteProcessMemory
process_identifier: 2136
buffer: @
process_handle: 0x000001f4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619614949.368375
WriteProcessMemory
process_identifier: 1936
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x00000150
base_address: 0x00400000
success 1 0
1619614953.165375
WriteProcessMemory
process_identifier: 284
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x000001d4
base_address: 0x00400000
success 1 0
1619614956.837375
WriteProcessMemory
process_identifier: 2104
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x000001e8
base_address: 0x00400000
success 1 0
1619614960.649375
WriteProcessMemory
process_identifier: 2136
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x000001f4
base_address: 0x00400000
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619614948.962375
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x000b51ae
module_address: 0x00000000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 131507 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (12 个事件)
Process injection Process 2900 called NtSetContextThread to modify thread in remote process 1068
Process injection Process 1804 called NtSetContextThread to modify thread in remote process 1948
Process injection Process 1948 called NtSetContextThread to modify thread in remote process 1936
Process injection Process 1948 called NtSetContextThread to modify thread in remote process 284
Process injection Process 1948 called NtSetContextThread to modify thread in remote process 2104
Process injection Process 1948 called NtSetContextThread to modify thread in remote process 2136
Time & API Arguments Status Return Repeated
1619596030.606176
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 2010382788
registers.esp: 7929668
registers.edi: 0
registers.eax: 801412
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 1068
success 0 0
1619614948.11925
NtSetContextThread
thread_handle: 0x00000128
registers.eip: 2010382788
registers.esp: 9828604
registers.edi: 0
registers.eax: 801412
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 1948
success 0 0
1619614949.477375
NtSetContextThread
thread_handle: 0x0000014c
registers.eip: 2010382788
registers.esp: 2947284
registers.edi: 0
registers.eax: 4349812
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1936
success 0 0
1619614953.274375
NtSetContextThread
thread_handle: 0x000001c4
registers.eip: 2010382788
registers.esp: 1047340
registers.edi: 0
registers.eax: 4349812
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 284
success 0 0
1619614956.915375
NtSetContextThread
thread_handle: 0x000001d0
registers.eip: 2010382788
registers.esp: 916572
registers.edi: 0
registers.eax: 4349812
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2104
success 0 0
1619614960.837375
NtSetContextThread
thread_handle: 0x000001ec
registers.eip: 2010382788
registers.esp: 2358952
registers.edi: 0
registers.eax: 4349812
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2136
success 0 0
One or more non-safelisted processes were created (2 个事件)
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
Resumed a suspended thread in a remote process potentially indicative of process injection (12 个事件)
Process injection Process 2900 resumed a thread in remote process 1068
Process injection Process 1804 resumed a thread in remote process 1948
Process injection Process 1948 resumed a thread in remote process 1936
Process injection Process 1948 resumed a thread in remote process 284
Process injection Process 1948 resumed a thread in remote process 2104
Process injection Process 1948 resumed a thread in remote process 2136
Time & API Arguments Status Return Repeated
1619596031.012176
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1068
success 0 0
1619614948.65025
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 1948
success 0 0
1619614950.009375
NtResumeThread
thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 1936
success 0 0
1619614953.790375
NtResumeThread
thread_handle: 0x000001c4
suspend_count: 1
process_identifier: 284
success 0 0
1619614957.446375
NtResumeThread
thread_handle: 0x000001d0
suspend_count: 1
process_identifier: 2104
success 0 0
1619614961.415375
NtResumeThread
thread_handle: 0x000001ec
suspend_count: 1
process_identifier: 2136
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 950 个事件)
Time & API Arguments Status Return Repeated
1619596030.574176
CreateProcessInternalW
thread_identifier: 2984
thread_handle: 0x00000124
process_identifier: 1068
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\75cef2dae16a983c118e6d11825829b5.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\75cef2dae16a983c118e6d11825829b5.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619596030.574176
NtGetContextThread
thread_handle: 0x00000124
success 0 0
1619596030.574176
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000128
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619596030.574176
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000128
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619596030.590176
WriteProcessMemory
process_identifier: 1068
buffer:
process_handle: 0x00000128
base_address: 0x000b0000
success 1 0
1619596030.590176
WriteProcessMemory
process_identifier: 1068
buffer:
process_handle: 0x00000128
base_address: 0xfffde008
success 1 0
1619596030.606176
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 2010382788
registers.esp: 7929668
registers.edi: 0
registers.eax: 801412
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 1068
success 0 0
1619596031.012176
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1068
success 0 0
1619614939.5555
NtResumeThread
thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 1068
success 0 0
1619614939.9935
CreateProcessInternalW
thread_identifier: 152
thread_handle: 0x00000174
process_identifier: 2060
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000188
inherit_handles: 0
success 1 0
1619614943.852875
CreateProcessInternalW
thread_identifier: 2256
thread_handle: 0x000002b0
process_identifier: 2116
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe"
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002f8
inherit_handles: 0
success 1 0
1619614945.50975
CreateProcessInternalW
thread_identifier: 708
thread_handle: 0x00000080
process_identifier: 1804
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619614948.10325
CreateProcessInternalW
thread_identifier: 2228
thread_handle: 0x00000128
process_identifier: 1948
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos23w\remcos23w.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000012c
inherit_handles: 0
success 1 0
1619614948.10325
NtGetContextThread
thread_handle: 0x00000128
success 0 0
1619614948.10325
NtAllocateVirtualMemory
process_identifier: 1948
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000012c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619614948.10325
NtAllocateVirtualMemory
process_identifier: 1948
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000012c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619614948.10325
WriteProcessMemory
process_identifier: 1948
buffer:
process_handle: 0x0000012c
base_address: 0x000b0000
success 1 0
1619614948.11925
WriteProcessMemory
process_identifier: 1948
buffer:
process_handle: 0x0000012c
base_address: 0xfffde008
success 1 0
1619614948.11925
NtSetContextThread
thread_handle: 0x00000128
registers.eip: 2010382788
registers.esp: 9828604
registers.edi: 0
registers.eax: 801412
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 1948
success 0 0
1619614948.65025
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 1948
success 0 0
1619614949.368375
CreateProcessInternalW
thread_identifier: 920
thread_handle: 0x0000014c
process_identifier: 1936
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
1619614949.368375
NtGetContextThread
thread_handle: 0x0000014c
success 0 0
1619614949.368375
NtAllocateVirtualMemory
process_identifier: 1936
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000150
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619614949.368375
WriteProcessMemory
process_identifier: 1936
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x00000150
base_address: 0x00400000
success 1 0
1619614949.384375
WriteProcessMemory
process_identifier: 1936
buffer:
process_handle: 0x00000150
base_address: 0x00401000
success 1 0
1619614949.430375
WriteProcessMemory
process_identifier: 1936
buffer:
process_handle: 0x00000150
base_address: 0x0048d000
success 1 0
1619614949.446375
WriteProcessMemory
process_identifier: 1936
buffer:
process_handle: 0x00000150
base_address: 0x004ba000
success 1 0
1619614949.446375
WriteProcessMemory
process_identifier: 1936
buffer:
process_handle: 0x00000150
base_address: 0x004c4000
success 1 0
1619614949.477375
WriteProcessMemory
process_identifier: 1936
buffer:
process_handle: 0x00000150
base_address: 0x0051c000
success 1 0
1619614949.477375
WriteProcessMemory
process_identifier: 1936
buffer: @
process_handle: 0x00000150
base_address: 0x7efde008
success 1 0
1619614949.477375
NtSetContextThread
thread_handle: 0x0000014c
registers.eip: 2010382788
registers.esp: 2947284
registers.edi: 0
registers.eax: 4349812
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1936
success 0 0
1619614950.009375
NtResumeThread
thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 1936
success 0 0
1619614953.165375
CreateProcessInternalW
thread_identifier: 2456
thread_handle: 0x000001c4
process_identifier: 284
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001d4
inherit_handles: 0
success 1 0
1619614953.165375
NtGetContextThread
thread_handle: 0x000001c4
success 0 0
1619614953.165375
NtAllocateVirtualMemory
process_identifier: 284
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001d4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619614953.165375
WriteProcessMemory
process_identifier: 284
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x000001d4
base_address: 0x00400000
success 1 0
1619614953.165375
WriteProcessMemory
process_identifier: 284
buffer:
process_handle: 0x000001d4
base_address: 0x00401000
success 1 0
1619614953.180375
WriteProcessMemory
process_identifier: 284
buffer:
process_handle: 0x000001d4
base_address: 0x0048d000
success 1 0
1619614953.227375
WriteProcessMemory
process_identifier: 284
buffer:
process_handle: 0x000001d4
base_address: 0x004ba000
success 1 0
1619614953.227375
WriteProcessMemory
process_identifier: 284
buffer:
process_handle: 0x000001d4
base_address: 0x004c4000
success 1 0
1619614953.274375
WriteProcessMemory
process_identifier: 284
buffer:
process_handle: 0x000001d4
base_address: 0x0051c000
success 1 0
1619614953.274375
WriteProcessMemory
process_identifier: 284
buffer: @
process_handle: 0x000001d4
base_address: 0x7efde008
success 1 0
1619614953.274375
NtSetContextThread
thread_handle: 0x000001c4
registers.eip: 2010382788
registers.esp: 1047340
registers.edi: 0
registers.eax: 4349812
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 284
success 0 0
1619614953.790375
NtResumeThread
thread_handle: 0x000001c4
suspend_count: 1
process_identifier: 284
success 0 0
1619614956.821375
CreateProcessInternalW
thread_identifier: 1752
thread_handle: 0x000001d0
process_identifier: 2104
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001e8
inherit_handles: 0
success 1 0
1619614956.821375
NtGetContextThread
thread_handle: 0x000001d0
success 0 0
1619614956.837375
NtAllocateVirtualMemory
process_identifier: 2104
region_size: 1208320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619614956.837375
WriteProcessMemory
process_identifier: 2104
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ýdȞ¹¦Í¹¦Í¹¦Í'¥a͸¦ÍHÃk͊¦ÍHÃhͦÍHÃi͋¦Í°}%Í°¦Í°}5͜¦Í¹§Í­¦Íßë~Íô¦ÍßëkÍ»¦Íßëo͸¦Í¹1͸¦Íßëj͸¦ÍRich¹¦ÍPEL >×^à"  ¶J t_Ð@pÃ;@€@@p |@ lrÀLlÐØ0' @Ð`.textOµ¶ `.rdataBÌÐκ@@.dataT  bˆ @À.rsrclr@ tê @@.reloct¤À¦^@B
process_handle: 0x000001e8
base_address: 0x00400000
success 1 0
1619614956.837375
WriteProcessMemory
process_identifier: 2104
buffer:
process_handle: 0x000001e8
base_address: 0x00401000
success 1 0
1619614956.852375
WriteProcessMemory
process_identifier: 2104
buffer:
process_handle: 0x000001e8
base_address: 0x0048d000
success 1 0
File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Siggen9.51672
MicroWorld-eScan Trojan.GenericKD.43276981
FireEye Trojan.GenericKD.43276981
McAfee Artemis!75CEF2DAE16A
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 700000111 )
Alibaba Backdoor:Win32/Remcos.e9404f54
K7GW Trojan ( 700000111 )
Arcabit Trojan.Generic.D2945AB5
Cyren W32/AutoIt.OM.gen!Eldorado
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win32/Injector.Autoit.FIJ
APEX Malicious
Avast Script:SNH-gen [Trj]
Kaspersky Backdoor.Win32.Remcos.pdm
BitDefender Trojan.GenericKD.43276981
NANO-Antivirus Trojan.Win32.Remcos.hnlbls
Paloalto generic.ml
Ad-Aware Trojan.GenericKD.43276981
Sophos Mal/Generic-S
Comodo Malware@#1atx56j6xav02
F-Secure Heuristic.HEUR/AGEN.1134145
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.TrojanAitInject.tc
Emsisoft Trojan.GenericKD.43276981 (B)
Avira HEUR/AGEN.1134145
Microsoft Trojan:Win32/Predator.SS!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm Backdoor.Win32.Remcos.pdm
GData Trojan.GenericKD.43276981
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/AU3.AutoInj.S1255
MAX malware (ai score=86)
Malwarebytes Trojan.MalPack.AutoIt
Rising Trojan.Obfus/Autoit!1.C12C (CLASSIC)
Ikarus Trojan-Spy.Keylogger.AgentTesla
Fortinet AutoIt/Injector.FIC!tr
MaxSecure Trojan.Malware.300983.susgen
AVG Script:SNH-gen [Trj]
CrowdStrike win/malicious_confidence_70% (W)
Qihoo-360 Win32/Backdoor.da6
The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 个事件)
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\cmd.exe
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-03 14:07:05

Imports

Library WSOCK32.dll:
0x48d7b0 __WSAFDIsSet
0x48d7b4 recv
0x48d7b8 send
0x48d7bc setsockopt
0x48d7c0 ntohs
0x48d7c4 recvfrom
0x48d7c8 select
0x48d7cc WSAStartup
0x48d7d0 htons
0x48d7d4 accept
0x48d7d8 listen
0x48d7dc bind
0x48d7e0 closesocket
0x48d7e4 connect
0x48d7e8 WSACleanup
0x48d7ec ioctlsocket
0x48d7f0 sendto
0x48d7f4 WSAGetLastError
0x48d7f8 inet_addr
0x48d7fc gethostbyname
0x48d800 gethostname
0x48d804 socket
Library VERSION.dll:
0x48d754 GetFileVersionInfoW
0x48d758 VerQueryValueW
Library WINMM.dll:
0x48d7a0 timeGetTime
0x48d7a4 waveOutSetVolume
0x48d7a8 mciSendStringW
Library COMCTL32.dll:
0x48d088 ImageList_Destroy
0x48d08c ImageList_Remove
0x48d094 ImageList_BeginDrag
0x48d098 ImageList_DragEnter
0x48d09c ImageList_DragLeave
0x48d0a0 ImageList_EndDrag
0x48d0a4 ImageList_DragMove
0x48d0a8 ImageList_Create
Library MPR.dll:
0x48d3e8 WNetUseConnectionW
0x48d3f0 WNetGetConnectionW
0x48d3f4 WNetAddConnection2W
Library WININET.dll:
0x48d764 InternetReadFile
0x48d768 InternetCloseHandle
0x48d76c InternetOpenW
0x48d770 InternetSetOptionW
0x48d774 InternetCrackUrlW
0x48d778 HttpQueryInfoW
0x48d780 HttpOpenRequestW
0x48d784 HttpSendRequestW
0x48d788 FtpOpenFileW
0x48d78c FtpGetFileSize
0x48d790 InternetOpenUrlW
0x48d794 InternetConnectW
Library PSAPI.DLL:
Library IPHLPAPI.DLL:
0x48d154 IcmpCreateFile
0x48d158 IcmpCloseHandle
0x48d15c IcmpSendEcho
Library USERENV.dll:
0x48d738 UnloadUserProfile
0x48d744 LoadUserProfileW
Library UxTheme.dll:
0x48d74c IsThemeActive
Library KERNEL32.dll:
0x48d164 HeapAlloc
0x48d168 GetProcessHeap
0x48d16c HeapFree
0x48d170 Sleep
0x48d174 GetCurrentThreadId
0x48d178 MultiByteToWideChar
0x48d17c MulDiv
0x48d180 GetVersionExW
0x48d184 GetSystemInfo
0x48d188 FreeLibrary
0x48d18c LoadLibraryA
0x48d190 GetProcAddress
0x48d194 SetErrorMode
0x48d198 GetModuleFileNameW
0x48d19c WideCharToMultiByte
0x48d1a0 lstrcpyW
0x48d1a4 lstrlenW
0x48d1a8 GetModuleHandleW
0x48d1b0 VirtualFreeEx
0x48d1b4 OpenProcess
0x48d1b8 VirtualAllocEx
0x48d1bc WriteProcessMemory
0x48d1c0 ReadProcessMemory
0x48d1c4 CreateFileW
0x48d1c8 SetFilePointerEx
0x48d1cc ReadFile
0x48d1d0 WriteFile
0x48d1d4 FlushFileBuffers
0x48d1d8 TerminateProcess
0x48d1e0 Process32FirstW
0x48d1e4 Process32NextW
0x48d1e8 SetFileTime
0x48d1ec GetFileAttributesW
0x48d1f0 FindFirstFileW
0x48d1f4 FindClose
0x48d1f8 GetLongPathNameW
0x48d1fc GetCurrentThread
0x48d200 FindNextFileW
0x48d204 MoveFileW
0x48d208 CopyFileW
0x48d20c CreateDirectoryW
0x48d210 RemoveDirectoryW
0x48d214 SetSystemPowerState
0x48d21c FindResourceW
0x48d220 LoadResource
0x48d224 LockResource
0x48d228 SizeofResource
0x48d22c EnumResourceNamesW
0x48d230 OutputDebugStringW
0x48d234 GetTempPathW
0x48d238 GetTempFileNameW
0x48d23c DeviceIoControl
0x48d240 GetLocalTime
0x48d244 CompareStringW
0x48d24c WaitForSingleObject
0x48d254 GetStdHandle
0x48d258 CreatePipe
0x48d25c InterlockedExchange
0x48d260 TerminateThread
0x48d264 LoadLibraryExW
0x48d268 FindResourceExW
0x48d26c VirtualFree
0x48d270 FormatMessageW
0x48d274 GetExitCodeProcess
0x48d29c GetDriveTypeW
0x48d2a0 GetDiskFreeSpaceExW
0x48d2a4 GetDiskFreeSpaceW
0x48d2ac SetVolumeLabelW
0x48d2b0 CreateHardLinkW
0x48d2b4 SetFileAttributesW
0x48d2b8 GetShortPathNameW
0x48d2bc CreateEventW
0x48d2c0 SetEvent
0x48d2cc GlobalLock
0x48d2d0 GlobalUnlock
0x48d2d4 GlobalAlloc
0x48d2d8 GetFileSize
0x48d2dc GlobalFree
0x48d2e4 Beep
0x48d2e8 GetSystemDirectoryW
0x48d2ec GetComputerNameW
0x48d2f4 GetCurrentProcessId
0x48d2fc CreateProcessW
0x48d300 SetPriorityClass
0x48d304 LoadLibraryW
0x48d308 VirtualAlloc
0x48d30c CloseHandle
0x48d310 GetLastError
0x48d314 GetFullPathNameW
0x48d31c IsDebuggerPresent
0x48d324 lstrcmpiW
0x48d328 RaiseException
0x48d338 CreateThread
0x48d33c DuplicateHandle
0x48d344 GetCurrentProcess
0x48d348 ExitProcess
0x48d34c GetModuleHandleExW
0x48d350 ExitThread
0x48d358 ResumeThread
0x48d35c GetCommandLineW
0x48d364 HeapSize
0x48d368 IsValidCodePage
0x48d36c GetACP
0x48d370 GetOEMCP
0x48d374 GetCPInfo
0x48d378 SetLastError
0x48d384 TlsAlloc
0x48d388 TlsGetValue
0x48d38c TlsSetValue
0x48d390 TlsFree
0x48d394 GetStartupInfoW
0x48d398 GetStringTypeW
0x48d39c SetStdHandle
0x48d3a0 GetFileType
0x48d3a4 GetConsoleCP
0x48d3a8 GetConsoleMode
0x48d3ac RtlUnwind
0x48d3b0 ReadConsoleW
0x48d3b4 SetFilePointer
0x48d3bc GetDateFormatW
0x48d3c0 GetTimeFormatW
0x48d3c4 LCMapStringW
0x48d3d0 HeapReAlloc
0x48d3d4 WriteConsoleW
0x48d3d8 SetEndOfFile
0x48d3dc DeleteFileW
Library USER32.dll:
0x48d4b4 SetWindowPos
0x48d4b8 GetCursorInfo
0x48d4bc RegisterHotKey
0x48d4c0 ClientToScreen
0x48d4c8 IsCharAlphaW
0x48d4cc IsCharAlphaNumericW
0x48d4d0 IsCharLowerW
0x48d4d4 IsCharUpperW
0x48d4d8 GetMenuStringW
0x48d4dc GetSubMenu
0x48d4e0 GetCaretPos
0x48d4e4 IsZoomed
0x48d4e8 MonitorFromPoint
0x48d4ec GetMonitorInfoW
0x48d4f0 SetWindowLongW
0x48d4f8 FlashWindow
0x48d4fc GetClassLongW
0x48d504 IsDialogMessageW
0x48d508 GetSysColor
0x48d50c InflateRect
0x48d510 DrawFocusRect
0x48d514 DrawTextW
0x48d518 FrameRect
0x48d51c DrawFrameControl
0x48d520 FillRect
0x48d524 PtInRect
0x48d530 SetCursor
0x48d534 GetWindowDC
0x48d538 GetSystemMetrics
0x48d53c DrawMenuBar
0x48d540 GetActiveWindow
0x48d544 CharNextW
0x48d548 wsprintfW
0x48d54c RedrawWindow
0x48d550 DestroyMenu
0x48d554 SetMenu
0x48d55c CreateMenu
0x48d560 IsDlgButtonChecked
0x48d564 DefDlgProcW
0x48d568 CallWindowProcW
0x48d56c ReleaseCapture
0x48d570 SetCapture
0x48d574 MonitorFromRect
0x48d578 LoadImageW
0x48d580 mouse_event
0x48d584 ExitWindowsEx
0x48d588 SetActiveWindow
0x48d58c FindWindowExW
0x48d590 EnumThreadWindows
0x48d594 SetMenuDefaultItem
0x48d598 InsertMenuItemW
0x48d59c IsMenu
0x48d5a0 TrackPopupMenuEx
0x48d5a4 GetCursorPos
0x48d5a8 CopyImage
0x48d5ac CheckMenuRadioItem
0x48d5b0 GetMenuItemID
0x48d5b4 GetMenuItemCount
0x48d5b8 SetMenuItemInfoW
0x48d5bc GetMenuItemInfoW
0x48d5c0 SetForegroundWindow
0x48d5c4 IsIconic
0x48d5c8 FindWindowW
0x48d5cc UnregisterHotKey
0x48d5d0 keybd_event
0x48d5d4 SendInput
0x48d5d8 GetAsyncKeyState
0x48d5dc SetKeyboardState
0x48d5e0 GetKeyboardState
0x48d5e4 GetKeyState
0x48d5e8 VkKeyScanW
0x48d5ec LoadStringW
0x48d5f0 DialogBoxParamW
0x48d5f4 MessageBeep
0x48d5f8 EndDialog
0x48d5fc SendDlgItemMessageW
0x48d600 GetDlgItem
0x48d604 SetWindowTextW
0x48d608 CopyRect
0x48d60c ReleaseDC
0x48d610 GetDC
0x48d614 EndPaint
0x48d618 BeginPaint
0x48d61c GetClientRect
0x48d620 GetMenu
0x48d624 DestroyWindow
0x48d628 EnumWindows
0x48d62c GetDesktopWindow
0x48d630 IsWindow
0x48d634 IsWindowEnabled
0x48d638 IsWindowVisible
0x48d63c EnableWindow
0x48d640 InvalidateRect
0x48d644 GetWindowLongW
0x48d64c AttachThreadInput
0x48d650 GetFocus
0x48d654 ScreenToClient
0x48d658 SendMessageTimeoutW
0x48d65c EnumChildWindows
0x48d660 CharUpperBuffW
0x48d664 GetClassNameW
0x48d668 GetParent
0x48d66c GetDlgCtrlID
0x48d670 SendMessageW
0x48d674 MapVirtualKeyW
0x48d678 PostMessageW
0x48d67c GetWindowRect
0x48d684 CloseDesktop
0x48d688 CloseWindowStation
0x48d68c OpenDesktopW
0x48d698 OpenWindowStationW
0x48d6a0 AdjustWindowRectEx
0x48d6a4 SetRect
0x48d6a8 SetClipboardData
0x48d6ac EmptyClipboard
0x48d6b4 CloseClipboard
0x48d6b8 GetClipboardData
0x48d6c0 OpenClipboard
0x48d6c4 BlockInput
0x48d6c8 GetMessageW
0x48d6cc LockWindowUpdate
0x48d6d0 DispatchMessageW
0x48d6d4 TranslateMessage
0x48d6d8 DeleteMenu
0x48d6dc PeekMessageW
0x48d6e0 MessageBoxW
0x48d6e4 DefWindowProcW
0x48d6e8 MoveWindow
0x48d6ec SetFocus
0x48d6f0 PostQuitMessage
0x48d6f4 KillTimer
0x48d6f8 CreatePopupMenu
0x48d700 SetTimer
0x48d704 ShowWindow
0x48d708 CreateWindowExW
0x48d70c RegisterClassExW
0x48d710 LoadIconW
0x48d714 LoadCursorW
0x48d718 GetSysColorBrush
0x48d71c GetForegroundWindow
0x48d720 MessageBoxA
0x48d724 DestroyIcon
0x48d72c CharLowerBuffW
0x48d730 GetWindowTextW
Library GDI32.dll:
0x48d0c4 SetPixel
0x48d0c8 DeleteObject
0x48d0d0 ExtCreatePen
0x48d0d4 StrokeAndFillPath
0x48d0d8 StrokePath
0x48d0dc GetDeviceCaps
0x48d0e0 CloseFigure
0x48d0e4 LineTo
0x48d0e8 AngleArc
0x48d0f0 CreateCompatibleDC
0x48d0f4 MoveToEx
0x48d0f8 Ellipse
0x48d0fc PolyDraw
0x48d100 BeginPath
0x48d104 SelectObject
0x48d108 StretchBlt
0x48d10c GetDIBits
0x48d110 DeleteDC
0x48d114 GetPixel
0x48d118 CreateDCW
0x48d11c GetStockObject
0x48d120 Rectangle
0x48d124 SetViewportOrgEx
0x48d128 GetObjectW
0x48d12c SetBkMode
0x48d130 RoundRect
0x48d134 SetBkColor
0x48d138 CreatePen
0x48d13c CreateSolidBrush
0x48d140 SetTextColor
0x48d144 CreateFontW
0x48d148 GetTextFaceW
0x48d14c EndPath
Library COMDLG32.dll:
0x48d0b8 GetSaveFileNameW
0x48d0bc GetOpenFileNameW
Library ADVAPI32.dll:
0x48d000 GetAclInformation
0x48d004 RegEnumValueW
0x48d008 RegDeleteValueW
0x48d00c RegDeleteKeyW
0x48d010 RegEnumKeyExW
0x48d014 RegSetValueExW
0x48d018 RegCreateKeyExW
0x48d01c GetUserNameW
0x48d020 RegOpenKeyExW
0x48d024 RegCloseKey
0x48d028 RegQueryValueExW
0x48d02c RegConnectRegistryW
0x48d034 InitializeAcl
0x48d03c OpenThreadToken
0x48d040 OpenProcessToken
0x48d048 DuplicateTokenEx
0x48d054 GetLengthSid
0x48d058 CopySid
0x48d060 LogonUserW
0x48d06c FreeSid
0x48d070 GetTokenInformation
0x48d07c AddAce
0x48d080 GetAce
Library SHELL32.dll:
0x48d474 DragQueryPoint
0x48d478 ShellExecuteExW
0x48d47c DragQueryFileW
0x48d480 SHEmptyRecycleBinW
0x48d488 SHBrowseForFolderW
0x48d48c SHCreateShellItem
0x48d490 SHGetDesktopFolder
0x48d498 SHGetFolderPathW
0x48d49c SHFileOperationW
0x48d4a0 ExtractIconExW
0x48d4a4 Shell_NotifyIconW
0x48d4a8 ShellExecuteW
0x48d4ac DragFinish
Library ole32.dll:
0x48d80c CoTaskMemAlloc
0x48d810 CoTaskMemFree
0x48d814 CLSIDFromString
0x48d818 ProgIDFromCLSID
0x48d81c CLSIDFromProgID
0x48d824 MkParseDisplayName
0x48d82c CoCreateInstance
0x48d830 IIDFromString
0x48d834 StringFromGUID2
0x48d83c CoInitialize
0x48d840 CoUninitialize
0x48d84c CoGetObject
0x48d854 CoCreateInstanceEx
0x48d858 CoSetProxyBlanket
Library OLEAUT32.dll:
0x48d3fc RegisterTypeLib
0x48d400 LoadTypeLibEx
0x48d404 VariantCopyInd
0x48d408 SysReAllocString
0x48d40c SysFreeString
0x48d41c SafeArrayAccessData
0x48d420 SafeArrayAllocData
0x48d424 UnRegisterTypeLib
0x48d42c SysAllocString
0x48d430 SysStringLen
0x48d438 VarR8FromDec
0x48d43c SafeArrayGetVartype
0x48d440 OleLoadPicture
0x48d448 VariantCopy
0x48d44c VariantClear
0x48d450 CreateDispTypeInfo
0x48d454 CreateStdDispatch
0x48d458 DispCallFunc
0x48d45c VariantChangeType
0x48d464 VariantInit

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51379 239.255.255.250 3702
192.168.56.101 55369 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 63432 239.255.255.250 1900
192.168.56.101 51808 8.8.8.8 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.