11.0
0-day
61 个模型检测该样本为恶意!
重新分析
更多

5bd96a0d70ece4a045c040b8d98ae78979da156e27138aa4a8b718cfff978cbf

75fa1950d036dddf87bddfa1e0f19387.exe

分析耗时

95s

最近分析

文件大小

918.5KB
静态报毒 动态报毒 100% 5GW@AQFHEGMI AI SCORE=88 AIDETECTVM ALI2000015 CLASSIC CONFIDENCE DATASTEALER DELF DELFINJECT DELPHILESS EMTN EMVB FAREIT GENERICKD HIGH CONFIDENCE HPVIUA IQED KCLOUD KRYPTIK MALREP MALWARE2 MALWARE@#1L530EYS0M1X9 NANOCORE SCORE STATIC AI SUSGEN SUSPICIOUS PE TCHOMBYXX7S THIBABO TSCOPE UNSAFE VXPAK X2094 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201210 21.1.5827.0
Tencent 20201211 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Fareit-FPQ!75FA1950D036 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (11 个事件)
Time & API Arguments Status Return Repeated
1619673893.920374
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75114b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75115d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd89148d
success 0 0
1619673903.326626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb1148d
success 0 0
1619673909.359126
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb1148d
success 0 0
1619673914.921001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff67148d
success 0 0
1619673922.576876
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff55148d
success 0 0
1619673930.686751
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb5148d
success 0 0
1619673934.858876
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4b148d
success 0 0
1619673939.404374
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd95148d
success 0 0
1619673944.139751
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751c4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751c5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdda148d
success 0 0
1619673948.780001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4f148d
success 0 0
1619673953.655001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
hdjfksfj+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb3148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 347 个事件)
Time & API Arguments Status Return Repeated
1619649228.625524
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619649228.672524
NtAllocateVirtualMemory
process_identifier: 284
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00510000
success 0 0
1619649228.672524
NtAllocateVirtualMemory
process_identifier: 284
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00540000
success 0 0
1619673892.076626
NtAllocateVirtualMemory
process_identifier: 2824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619673892.123626
NtAllocateVirtualMemory
process_identifier: 2824
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619673892.123626
NtAllocateVirtualMemory
process_identifier: 2824
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619673893.076374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619673893.123374
NtAllocateVirtualMemory
process_identifier: 520
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619673893.123374
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02030000
success 0 0
1619673893.123374
NtAllocateVirtualMemory
process_identifier: 520
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619673893.123374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f52000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.873374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619673893.889374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.889374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619673893.889374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.889374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619673893.889374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.889374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619673893.889374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00332000
success 0 0
1619673893.889374
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619673893.624001
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005c0000
success 0 0
1619673893.765001
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00630000
success 0 0
1619673893.780001
NtAllocateVirtualMemory
process_identifier: 3064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00660000
success 0 0
1619673901.498501
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00350000
success 0 0
1619673901.623501
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00390000
success 0 0
1619673901.654501
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619673903.233626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619673903.248626
NtAllocateVirtualMemory
process_identifier: 3212
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f70000
success 0 0
1619673903.248626
NtAllocateVirtualMemory
process_identifier: 3212
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fc0000
success 0 0
1619673903.248626
NtAllocateVirtualMemory
process_identifier: 3212
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02090000
success 0 0
1619673903.248626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02092000
success 0 0
1619673903.279626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005b2000
success 0 0
1619673903.279626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619673903.279626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005b2000
success 0 0
1619673903.279626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619673903.279626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005b2000
success 0 0
1619673903.279626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619673903.279626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x005b2000
success 0 0
1619673903.279626
NtProtectVirtualMemory
process_identifier: 3212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (32 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.679381131325742 section {'size_of_data': '0x0006fa00', 'virtual_address': '0x0007b000', 'entropy': 7.679381131325742, 'name': '.rsrc', 'virtual_size': '0x0006f8e0'} description A section with a high entropy has been found
entropy 0.48664850136239785 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process hdjfksfj.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (35 个事件)
Time & API Arguments Status Return Repeated
1619649228.672524
Process32NextW
process_name: 75fa1950d036dddf87bddfa1e0f19387.exe
snapshot_handle: 0x000000f4
process_identifier: 284
failed 0 0
1619673892.139626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2436
failed 0 0
1619673893.796001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2864
failed 0 0
1619673899.546001
Process32NextW
process_name: hdjfksfj.exe
snapshot_handle: 0x00000170
process_identifier: 3064
failed 0 0
1619673901.779501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3200
failed 0 0
1619673904.530126
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3372
failed 0 0
1619673906.859126
Process32NextW
process_name: hdjfksfj.exe
snapshot_handle: 0x00000134
process_identifier: 3280
failed 0 0
1619673907.702001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3448
failed 0 0
1619673910.187001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3608
failed 0 0
1619673911.937001
Process32NextW
process_name: hdjfksfj.exe
snapshot_handle: 0x00000120
process_identifier: 3524
failed 0 0
1619673913.248751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3696
failed 0 0
1619673915.796001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3864
failed 0 0
1619673917.780001
Process32NextW
process_name: hdjfksfj.exe
snapshot_handle: 0x00000124
process_identifier: 3764
failed 0 0
1619673919.983499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3944
failed 0 0
1619673923.123374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 368
failed 0 0
1619673929.436374
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000184
process_identifier: 3164
failed 0 0
1619673929.874251
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2196
failed 0 0
1619673931.498626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3208
failed 0 0
1619673932.467626
Process32NextW
process_name: hdjfksfj.exe
snapshot_handle: 0x00000110
process_identifier: 1816
failed 0 0
1619673933.421126
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2952
failed 0 0
1619673935.467374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2652
failed 0 0
1619673937.342374
Process32NextW
process_name: hdjfksfj.exe
snapshot_handle: 0x00000120
process_identifier: 3364
failed 0 0
1619673938.140126
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3792
failed 0 0
1619673939.812251
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3984
failed 0 0
1619673941.546251
Process32NextW
process_name: hdjfksfj.exe
snapshot_handle: 0x00000120
process_identifier: 952
failed 0 0
1619673942.264374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2452
failed 0 0
1619673944.170374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3264
failed 0 0
1619673946.889374
Process32NextW
process_name: hdjfksfj.exe
snapshot_handle: 0x00000130
process_identifier: 3960
failed 0 0
1619673947.467499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1948
failed 0 0
1619673949.311751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3116
failed 0 0
1619673951.014751
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000120
process_identifier: 1712
failed 0 0
1619673951.937126
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3752
failed 0 0
1619673954.359251
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1940
failed 0 0
1619673955.687251
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000108
process_identifier: 1664
failed 0 0
1619673956.952126
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3316
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619649228.890524
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 284 created a thread in remote process 2740
Time & API Arguments Status Return Repeated
1619649228.890524
NtQueueApcThread
thread_handle: 0x00000104
process_identifier: 2740
function_address: 0x000f05c0
parameter: 0x00100000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619649228.890524
WriteProcessMemory
process_identifier: 2740
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000f0000
success 1 0
1619649228.890524
WriteProcessMemory
process_identifier: 2740
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\75fa1950d036dddf87bddfa1e0f19387.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\75fa1950d036dddf87bddfa1e0f19387.exe" webset ZvxeSXihoEQlEhj = crEaTEobject("wsCRipT.sHeLl") zvxEsXihOeqLEhj.RUn """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x00100000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (22 个事件)
Process injection Process 2824 called NtSetContextThread to modify thread in remote process 520
Process injection Process 3132 called NtSetContextThread to modify thread in remote process 3212
Process injection Process 3392 called NtSetContextThread to modify thread in remote process 3460
Process injection Process 3636 called NtSetContextThread to modify thread in remote process 3704
Process injection Process 3888 called NtSetContextThread to modify thread in remote process 3956
Process injection Process 3192 called NtSetContextThread to modify thread in remote process 3044
Process injection Process 3420 called NtSetContextThread to modify thread in remote process 2948
Process injection Process 3396 called NtSetContextThread to modify thread in remote process 3816
Process injection Process 3948 called NtSetContextThread to modify thread in remote process 1880
Process injection Process 3348 called NtSetContextThread to modify thread in remote process 1740
Process injection Process 2040 called NtSetContextThread to modify thread in remote process 3852
Time & API Arguments Status Return Repeated
1619673892.311626
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 520
success 0 0
1619673902.108501
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3212
success 0 0
1619673908.093001
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3460
success 0 0
1619673913.873751
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3704
success 0 0
1619673920.779499
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3956
success 0 0
1619673929.999251
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3044
success 0 0
1619673933.874126
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2948
success 0 0
1619673938.296126
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3816
success 0 0
1619673943.061374
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1880
success 0 0
1619673947.717499
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1740
success 0 0
1619673952.343126
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3852
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (22 个事件)
Process injection Process 2824 resumed a thread in remote process 520
Process injection Process 3132 resumed a thread in remote process 3212
Process injection Process 3392 resumed a thread in remote process 3460
Process injection Process 3636 resumed a thread in remote process 3704
Process injection Process 3888 resumed a thread in remote process 3956
Process injection Process 3192 resumed a thread in remote process 3044
Process injection Process 3420 resumed a thread in remote process 2948
Process injection Process 3396 resumed a thread in remote process 3816
Process injection Process 3948 resumed a thread in remote process 1880
Process injection Process 3348 resumed a thread in remote process 1740
Process injection Process 2040 resumed a thread in remote process 3852
Time & API Arguments Status Return Repeated
1619673892.904626
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 520
success 0 0
1619673903.061501
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3212
success 0 0
1619673908.765001
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3460
success 0 0
1619673914.326751
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3704
success 0 0
1619673922.061499
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3956
success 0 0
1619673930.249251
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3044
success 0 0
1619673934.327126
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2948
success 0 0
1619673938.890126
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3816
success 0 0
1619673943.654374
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1880
success 0 0
1619673948.123499
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1740
success 0 0
1619673953.202126
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3852
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 94 个事件)
Time & API Arguments Status Return Repeated
1619649228.890524
CreateProcessInternalW
thread_identifier: 2208
thread_handle: 0x00000104
process_identifier: 2740
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619649228.890524
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619649228.890524
NtAllocateVirtualMemory
process_identifier: 2740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1619649228.890524
WriteProcessMemory
process_identifier: 2740
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000f0000
success 1 0
1619649228.890524
WriteProcessMemory
process_identifier: 2740
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\75fa1950d036dddf87bddfa1e0f19387.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\75fa1950d036dddf87bddfa1e0f19387.exe" webset ZvxeSXihoEQlEhj = crEaTEobject("wsCRipT.sHeLl") zvxEsXihOeqLEhj.RUn """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x00100000
success 1 0
1619673891.811751
CreateProcessInternalW
thread_identifier: 1544
thread_handle: 0x000000d0
process_identifier: 2824
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619673892.233626
CreateProcessInternalW
thread_identifier: 944
thread_handle: 0x00000104
process_identifier: 520
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619673892.233626
NtUnmapViewOfSection
process_identifier: 520
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619673892.233626
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 520
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619673892.311626
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619673892.311626
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 520
success 0 0
1619673892.904626
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 520
success 0 0
1619673892.983626
CreateProcessInternalW
thread_identifier: 1380
thread_handle: 0x00000108
process_identifier: 3064
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe" 2 520 13289546
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619673900.984001
CreateProcessInternalW
thread_identifier: 3136
thread_handle: 0x00000174
process_identifier: 3132
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000178
inherit_handles: 0
success 1 0
1619673901.904501
CreateProcessInternalW
thread_identifier: 3216
thread_handle: 0x00000104
process_identifier: 3212
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619673901.904501
NtUnmapViewOfSection
process_identifier: 3212
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619673901.904501
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3212
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619673902.092501
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619673902.108501
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3212
success 0 0
1619673903.061501
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3212
success 0 0
1619673903.217501
CreateProcessInternalW
thread_identifier: 3284
thread_handle: 0x00000108
process_identifier: 3280
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe" 2 3212 13299703
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619673907.249126
CreateProcessInternalW
thread_identifier: 3396
thread_handle: 0x00000138
process_identifier: 3392
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000013c
inherit_handles: 0
success 1 0
1619673907.952001
CreateProcessInternalW
thread_identifier: 3464
thread_handle: 0x00000104
process_identifier: 3460
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619673907.952001
NtUnmapViewOfSection
process_identifier: 3460
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619673907.968001
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3460
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619673908.077001
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619673908.093001
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3460
success 0 0
1619673908.765001
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3460
success 0 0
1619673909.390001
CreateProcessInternalW
thread_identifier: 3528
thread_handle: 0x00000108
process_identifier: 3524
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe" 2 3460 13305406
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619673912.405001
CreateProcessInternalW
thread_identifier: 3640
thread_handle: 0x00000124
process_identifier: 3636
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000128
inherit_handles: 0
success 1 0
1619673913.733751
CreateProcessInternalW
thread_identifier: 3708
thread_handle: 0x00000104
process_identifier: 3704
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619673913.733751
NtUnmapViewOfSection
process_identifier: 3704
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619673913.748751
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3704
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619673913.873751
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619673913.873751
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3704
success 0 0
1619673914.326751
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3704
success 0 0
1619673914.983751
CreateProcessInternalW
thread_identifier: 3768
thread_handle: 0x00000108
process_identifier: 3764
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe" 2 3704 13310968
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619673918.390001
CreateProcessInternalW
thread_identifier: 3892
thread_handle: 0x00000128
process_identifier: 3888
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000012c
inherit_handles: 0
success 1 0
1619673920.623499
CreateProcessInternalW
thread_identifier: 3960
thread_handle: 0x00000104
process_identifier: 3956
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619673920.623499
NtUnmapViewOfSection
process_identifier: 3956
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619673920.670499
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3956
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619673920.779499
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619673920.779499
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3956
success 0 0
1619673922.061499
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3956
success 0 0
1619673922.248499
CreateProcessInternalW
thread_identifier: 3096
thread_handle: 0x00000108
process_identifier: 3092
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe" 2 3956 13318718
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619673929.576374
CreateProcessInternalW
thread_identifier: 3188
thread_handle: 0x00000188
process_identifier: 3192
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000018c
inherit_handles: 0
success 1 0
1619673929.952251
CreateProcessInternalW
thread_identifier: 2120
thread_handle: 0x00000104
process_identifier: 3044
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\hdjfksfj.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619673929.952251
NtUnmapViewOfSection
process_identifier: 3044
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619673929.952251
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3044
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619673929.999251
NtGetContextThread
thread_handle: 0x00000104
success 0 0
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34266428
FireEye Generic.mg.75fa1950d036dddf
ALYac Trojan.GenericKD.34266428
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Malware
K7AntiVirus Trojan ( 0056e07d1 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056e07d1 )
Cybereason malicious.1391fb
Arcabit Trojan.Generic.D20ADD3C
Cyren W32/Trojan.IQED-2207
Symantec Trojan.Gen.2
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Dropper.Nanocore-9171472-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKD.34266428
NANO-Antivirus Trojan.Win32.Kryptik.hpviua
Paloalto generic.ml
AegisLab Trojan.Win32.Kryptik.4!c
Ad-Aware Trojan.GenericKD.34266428
Sophos Mal/Generic-S
Comodo Malware@#1l530eys0m1x9
F-Secure Trojan.TR/Injector.vxpak
DrWeb Trojan.PWS.Stealer.29016
Zillya Trojan.Injector.Win32.755343
TrendMicro Trojan.Win32.MALREP.THIBABO
McAfee-GW-Edition BehavesLike.Win32.Fareit.dc
Emsisoft Trojan.GenericKD.34266428 (B)
Ikarus Trojan.Inject
Webroot W32.Trojan.Gen
Avira TR/Injector.vxpak
eGambit Unsafe.AI_Score_99%
Antiy-AVL Trojan/Win32.Kryptik
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Trojan:Win32/DataStealer.VD!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.GenericKD.34266428
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
Acronis suspicious
McAfee Fareit-FPQ!75FA1950D036
MAX malware (ai score=88)
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
ESET-NOD32 a variant of Win32/Injector.EMVB
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46f13c VirtualFree
0x46f140 VirtualAlloc
0x46f144 LocalFree
0x46f148 LocalAlloc
0x46f14c GetVersion
0x46f150 GetCurrentThreadId
0x46f15c VirtualQuery
0x46f160 WideCharToMultiByte
0x46f164 MultiByteToWideChar
0x46f168 lstrlenA
0x46f16c lstrcpynA
0x46f170 LoadLibraryExA
0x46f174 GetThreadLocale
0x46f178 GetStartupInfoA
0x46f17c GetProcAddress
0x46f180 GetModuleHandleA
0x46f184 GetModuleFileNameA
0x46f188 GetLocaleInfoA
0x46f18c GetCommandLineA
0x46f190 FreeLibrary
0x46f194 FindFirstFileA
0x46f198 FindClose
0x46f19c ExitProcess
0x46f1a0 WriteFile
0x46f1a8 RtlUnwind
0x46f1ac RaiseException
0x46f1b0 GetStdHandle
Library user32.dll:
0x46f1b8 GetKeyboardType
0x46f1bc LoadStringA
0x46f1c0 MessageBoxA
0x46f1c4 CharNextA
Library advapi32.dll:
0x46f1cc RegQueryValueExA
0x46f1d0 RegOpenKeyExA
0x46f1d4 RegCloseKey
Library oleaut32.dll:
0x46f1dc SysFreeString
0x46f1e0 SysReAllocStringLen
0x46f1e4 SysAllocStringLen
Library kernel32.dll:
0x46f1ec TlsSetValue
0x46f1f0 TlsGetValue
0x46f1f4 LocalAlloc
0x46f1f8 GetModuleHandleA
Library advapi32.dll:
0x46f200 RegQueryValueExA
0x46f204 RegOpenKeyExA
0x46f208 RegCloseKey
Library kernel32.dll:
0x46f210 lstrcpyA
0x46f214 WriteFile
0x46f218 WaitForSingleObject
0x46f21c VirtualQuery
0x46f220 VirtualAlloc
0x46f224 Sleep
0x46f228 SizeofResource
0x46f22c SetThreadLocale
0x46f230 SetFilePointer
0x46f234 SetEvent
0x46f238 SetErrorMode
0x46f23c SetEndOfFile
0x46f240 ResetEvent
0x46f244 ReadFile
0x46f248 MulDiv
0x46f24c LockResource
0x46f250 LoadResource
0x46f254 LoadLibraryA
0x46f260 GlobalUnlock
0x46f264 GlobalReAlloc
0x46f268 GlobalHandle
0x46f26c GlobalLock
0x46f270 GlobalFree
0x46f274 GlobalFindAtomA
0x46f278 GlobalDeleteAtom
0x46f27c GlobalAlloc
0x46f280 GlobalAddAtomA
0x46f284 GetVersionExA
0x46f288 GetVersion
0x46f28c GetTickCount
0x46f290 GetThreadLocale
0x46f294 GetSystemInfo
0x46f298 GetStringTypeExA
0x46f29c GetStdHandle
0x46f2a0 GetProcAddress
0x46f2a4 GetModuleHandleA
0x46f2a8 GetModuleFileNameA
0x46f2ac GetLocaleInfoA
0x46f2b0 GetLocalTime
0x46f2b4 GetLastError
0x46f2b8 GetFullPathNameA
0x46f2bc GetDiskFreeSpaceA
0x46f2c0 GetDateFormatA
0x46f2c4 GetCurrentThreadId
0x46f2c8 GetCurrentProcessId
0x46f2cc GetCPInfo
0x46f2d0 GetACP
0x46f2d4 FreeResource
0x46f2d8 InterlockedExchange
0x46f2dc FreeLibrary
0x46f2e0 FormatMessageA
0x46f2e4 FindResourceA
0x46f2e8 EnumCalendarInfoA
0x46f2f4 CreateThread
0x46f2f8 CreateFileA
0x46f2fc CreateEventA
0x46f300 CompareStringA
0x46f304 CloseHandle
Library version.dll:
0x46f30c VerQueryValueA
0x46f314 GetFileVersionInfoA
Library gdi32.dll:
0x46f31c UnrealizeObject
0x46f320 StretchBlt
0x46f324 SetWindowOrgEx
0x46f328 SetWinMetaFileBits
0x46f32c SetViewportOrgEx
0x46f330 SetTextColor
0x46f334 SetStretchBltMode
0x46f338 SetROP2
0x46f33c SetPixel
0x46f340 SetEnhMetaFileBits
0x46f344 SetDIBColorTable
0x46f348 SetBrushOrgEx
0x46f34c SetBkMode
0x46f350 SetBkColor
0x46f354 SelectPalette
0x46f358 SelectObject
0x46f35c SaveDC
0x46f360 RestoreDC
0x46f364 RectVisible
0x46f368 RealizePalette
0x46f36c Polyline
0x46f370 PlayEnhMetaFile
0x46f374 PatBlt
0x46f378 MoveToEx
0x46f37c MaskBlt
0x46f380 LineTo
0x46f384 IntersectClipRect
0x46f388 GetWindowOrgEx
0x46f38c GetWinMetaFileBits
0x46f390 GetTextMetricsA
0x46f39c GetStockObject
0x46f3a0 GetPixel
0x46f3a4 GetPaletteEntries
0x46f3a8 GetObjectA
0x46f3b4 GetEnhMetaFileBits
0x46f3b8 GetDeviceCaps
0x46f3bc GetDIBits
0x46f3c0 GetDIBColorTable
0x46f3c4 GetDCOrgEx
0x46f3cc GetClipBox
0x46f3d0 GetBrushOrgEx
0x46f3d4 GetBitmapBits
0x46f3d8 GetArcDirection
0x46f3dc ExtTextOutA
0x46f3e0 ExcludeClipRect
0x46f3e4 DeleteObject
0x46f3e8 DeleteEnhMetaFile
0x46f3ec DeleteDC
0x46f3f0 CreateSolidBrush
0x46f3f4 CreatePenIndirect
0x46f3f8 CreatePalette
0x46f400 CreateFontIndirectA
0x46f404 CreateDIBitmap
0x46f408 CreateDIBSection
0x46f40c CreateCompatibleDC
0x46f414 CreateBrushIndirect
0x46f418 CreateBitmap
0x46f41c CopyEnhMetaFileA
0x46f420 BitBlt
Library user32.dll:
0x46f428 CreateWindowExA
0x46f42c WindowFromPoint
0x46f430 WinHelpA
0x46f434 WaitMessage
0x46f438 UpdateWindow
0x46f43c UnregisterClassA
0x46f440 UnhookWindowsHookEx
0x46f444 TranslateMessage
0x46f44c TrackPopupMenu
0x46f454 ShowWindow
0x46f458 ShowScrollBar
0x46f45c ShowOwnedPopups
0x46f460 ShowCursor
0x46f464 SetWindowsHookExA
0x46f468 SetWindowPos
0x46f46c SetWindowPlacement
0x46f470 SetWindowLongA
0x46f474 SetTimer
0x46f478 SetScrollRange
0x46f47c SetScrollPos
0x46f480 SetScrollInfo
0x46f484 SetRect
0x46f488 SetPropA
0x46f48c SetParent
0x46f490 SetMenuItemInfoA
0x46f494 SetMenu
0x46f498 SetForegroundWindow
0x46f49c SetFocus
0x46f4a0 SetCursor
0x46f4a4 SetClassLongA
0x46f4a8 SetCapture
0x46f4ac SetActiveWindow
0x46f4b0 SendMessageA
0x46f4b4 ScrollWindow
0x46f4b8 ScreenToClient
0x46f4bc RemovePropA
0x46f4c0 RemoveMenu
0x46f4c4 ReleaseDC
0x46f4c8 ReleaseCapture
0x46f4d4 RegisterClassA
0x46f4d8 RedrawWindow
0x46f4dc PtInRect
0x46f4e0 PostQuitMessage
0x46f4e4 PostMessageA
0x46f4e8 PeekMessageA
0x46f4ec OffsetRect
0x46f4f0 OemToCharA
0x46f4f4 MessageBoxA
0x46f4f8 MapWindowPoints
0x46f4fc MapVirtualKeyA
0x46f500 LoadStringA
0x46f504 LoadKeyboardLayoutA
0x46f508 LoadIconA
0x46f50c LoadCursorA
0x46f510 LoadBitmapA
0x46f514 KillTimer
0x46f518 IsZoomed
0x46f51c IsWindowVisible
0x46f520 IsWindowEnabled
0x46f524 IsWindow
0x46f528 IsRectEmpty
0x46f52c IsIconic
0x46f530 IsDialogMessageA
0x46f534 IsChild
0x46f538 InvalidateRect
0x46f53c IntersectRect
0x46f540 InsertMenuItemA
0x46f544 InsertMenuA
0x46f548 InflateRect
0x46f550 GetWindowTextA
0x46f554 GetWindowRect
0x46f558 GetWindowPlacement
0x46f55c GetWindowLongA
0x46f560 GetWindowDC
0x46f564 GetTopWindow
0x46f568 GetSystemMetrics
0x46f56c GetSystemMenu
0x46f570 GetSysColorBrush
0x46f574 GetSysColor
0x46f578 GetSubMenu
0x46f57c GetScrollRange
0x46f580 GetScrollPos
0x46f584 GetScrollInfo
0x46f588 GetPropA
0x46f58c GetParent
0x46f590 GetWindow
0x46f594 GetMenuStringA
0x46f598 GetMenuState
0x46f59c GetMenuItemInfoA
0x46f5a0 GetMenuItemID
0x46f5a4 GetMenuItemCount
0x46f5a8 GetMenu
0x46f5ac GetLastActivePopup
0x46f5b0 GetKeyboardState
0x46f5b8 GetKeyboardLayout
0x46f5bc GetKeyState
0x46f5c0 GetKeyNameTextA
0x46f5c4 GetIconInfo
0x46f5c8 GetForegroundWindow
0x46f5cc GetFocus
0x46f5d0 GetDlgItem
0x46f5d4 GetDesktopWindow
0x46f5d8 GetDCEx
0x46f5dc GetDC
0x46f5e0 GetCursorPos
0x46f5e4 GetCursor
0x46f5e8 GetClipboardData
0x46f5ec GetClientRect
0x46f5f0 GetClassNameA
0x46f5f4 GetClassInfoA
0x46f5f8 GetCapture
0x46f5fc GetActiveWindow
0x46f600 FrameRect
0x46f604 FindWindowA
0x46f608 FillRect
0x46f60c EqualRect
0x46f610 EnumWindows
0x46f614 EnumThreadWindows
0x46f618 EndPaint
0x46f61c EnableWindow
0x46f620 EnableScrollBar
0x46f624 EnableMenuItem
0x46f628 DrawTextA
0x46f62c DrawMenuBar
0x46f630 DrawIconEx
0x46f634 DrawIcon
0x46f638 DrawFrameControl
0x46f63c DrawEdge
0x46f640 DispatchMessageA
0x46f644 DestroyWindow
0x46f648 DestroyMenu
0x46f64c DestroyIcon
0x46f650 DestroyCursor
0x46f654 DeleteMenu
0x46f658 DefWindowProcA
0x46f65c DefMDIChildProcA
0x46f660 DefFrameProcA
0x46f664 CreatePopupMenu
0x46f668 CreateMenu
0x46f66c CreateIcon
0x46f670 ClientToScreen
0x46f674 CheckMenuItem
0x46f678 CallWindowProcA
0x46f67c CallNextHookEx
0x46f680 BeginPaint
0x46f684 CharNextA
0x46f688 CharLowerBuffA
0x46f68c CharLowerA
0x46f690 CharToOemA
0x46f694 AdjustWindowRectEx
Library kernel32.dll:
0x46f6a0 Sleep
Library oleaut32.dll:
0x46f6a8 SafeArrayPtrOfIndex
0x46f6ac SafeArrayGetUBound
0x46f6b0 SafeArrayGetLBound
0x46f6b4 SafeArrayCreate
0x46f6b8 VariantChangeType
0x46f6bc VariantCopy
0x46f6c0 VariantClear
0x46f6c4 VariantInit
Library comctl32.dll:
0x46f6d4 ImageList_Write
0x46f6d8 ImageList_Read
0x46f6e8 ImageList_DragMove
0x46f6ec ImageList_DragLeave
0x46f6f0 ImageList_DragEnter
0x46f6f4 ImageList_EndDrag
0x46f6f8 ImageList_BeginDrag
0x46f6fc ImageList_Remove
0x46f700 ImageList_DrawEx
0x46f704 ImageList_Draw
0x46f714 ImageList_Add
0x46f71c ImageList_Destroy
0x46f720 ImageList_Create
0x46f724 InitCommonControls
Library comdlg32.dll:
0x46f72c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.