14.2
0-day
60 个模型检测该样本为恶意!
重新分析
更多

c58b23cd9c18272996eb7884920744eddb08fd591e2a5f4424a115cd575c144a

7834c8ffbaa77e689c8580832241bff3.exe

分析耗时

87s

最近分析

文件大小

623.5KB
静态报毒 动态报毒 AALG AGUU AI SCORE=83 AIDETECTVM AVSARHER BTOMTW CLASSIC CONFIDENCE DELF DELPHILESS ELDORADO ELXR EMHC ERLI FAREIT FORMBOOK HIGH CONFIDENCE HLDROS KRYPTIK LOKIBOT MALWARE1 MALWARE@#2ZU77FH1SFX4I MGW@A4YC8UHI NANOCORE R + MAL R06EC0DIA20 RATX REMCOS SCORE SIGGEN2 STATIC AI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE WACATAC X2066 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FTB!7834C8FFBAA7 20210127 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20210106 1.0
Alibaba Trojan:Win32/FormBook.cecc1126 20190527 0.3.0.5
Avast Win32:RATX-gen [Trj] 20210126 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft 20210127 2017.9.26.565
Tencent Win32.Trojan.Kryptik.Aguu 20210127 1.0.0.1
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (31 个事件)
Time & API Arguments Status Return Repeated
1619649228.009979
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01db0000
success 0 0
1619649228.228979
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619649228.228979
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ec0000
success 0 0
1619673738.431625
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619673738.478625
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673738.478625
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f90000
success 0 0
1619673751.21375
NtAllocateVirtualMemory
process_identifier: 2868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619673751.35375
NtProtectVirtualMemory
process_identifier: 2868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673751.35375
NtAllocateVirtualMemory
process_identifier: 2868
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00660000
success 0 0
1619673757.4165
NtAllocateVirtualMemory
process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00590000
success 0 0
1619673757.5885
NtProtectVirtualMemory
process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673757.5885
NtAllocateVirtualMemory
process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x020e0000
success 0 0
1619673758.749633
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1619673758.765633
NtProtectVirtualMemory
process_identifier: 2344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673758.765633
NtAllocateVirtualMemory
process_identifier: 2344
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e10000
success 0 0
1619673770.665274
NtAllocateVirtualMemory
process_identifier: 3232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619673771.180274
NtProtectVirtualMemory
process_identifier: 3232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673771.180274
NtAllocateVirtualMemory
process_identifier: 3232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fa0000
success 0 0
1619673774.962524
NtAllocateVirtualMemory
process_identifier: 3484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619673775.118524
NtProtectVirtualMemory
process_identifier: 3484
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673775.134524
NtAllocateVirtualMemory
process_identifier: 3484
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00790000
success 0 0
1619673780.024774
NtAllocateVirtualMemory
process_identifier: 3600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619673780.165774
NtProtectVirtualMemory
process_identifier: 3600
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673780.165774
NtAllocateVirtualMemory
process_identifier: 3600
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1619673781.283813
NtAllocateVirtualMemory
process_identifier: 3748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619673781.314813
NtProtectVirtualMemory
process_identifier: 3748
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673781.330813
NtAllocateVirtualMemory
process_identifier: 3748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e10000
success 0 0
1619673787.810531
NtAllocateVirtualMemory
process_identifier: 3964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619673787.889531
NtProtectVirtualMemory
process_identifier: 3964
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0045e000
success 0 0
1619673787.889531
NtAllocateVirtualMemory
process_identifier: 3964
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e80000
success 0 0
1619673795.57603
NtAllocateVirtualMemory
process_identifier: 3332
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01db0000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wap.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
Creates a suspicious process (1 个事件)
cmdline "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
Drops a binary and executes it (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
A process created a hidden window (6 个事件)
Time & API Arguments Status Return Repeated
1619673752.931625
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619673756.853625
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
1619673772.165774
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619673779.321274
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
1619673789.107781
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs
show_type: 0
success 1 0
1619673794.076281
ShellExecuteExW
parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath: cmd
filepath_r: cmd
show_type: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (16 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.314260294478326 section {'size_of_data': '0x0002ca00', 'virtual_address': '0x00075000', 'entropy': 7.314260294478326, 'name': '.rsrc', 'virtual_size': '0x0002c9a4'} description A section with a high entropy has been found
entropy 0.28674698795180725 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process hgghuyguy.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (9 个事件)
Time & API Arguments Status Return Repeated
1619649228.259979
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x00000100
process_identifier: 3068
failed 0 0
1619673738.478625
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 368
failed 0 0
1619673751.36975
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 2864
failed 0 0
1619673756.72875
Process32NextW
process_name: wscript.exe
snapshot_handle: 0x00000198
process_identifier: 2284
failed 0 0
1619673758.765633
Process32NextW
process_name: remcos.exe
snapshot_handle: 0x000000fc
process_identifier: 2344
failed 0 0
1619673778.790274
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x0000019c
process_identifier: 3592
failed 0 0
1619673780.165774
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000fc
process_identifier: 3716
failed 0 0
1619673781.330813
Process32NextW
process_name: remcos.exe
snapshot_handle: 0x00000100
process_identifier: 3748
failed 0 0
1619673793.982531
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x00000174
process_identifier: 3004
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (3 个事件)
Time & API Arguments Status Return Repeated
1619649240.447979
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619673771.530633
NtAllocateVirtualMemory
process_identifier: 3320
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000104
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619673794.252813
NtAllocateVirtualMemory
process_identifier: 3220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
Installs itself for autorun at Windows startup (4 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wap.vbs
Manipulates memory of a non-child process indicative of process injection (3 个事件)
Process injection Process 3600 manipulating memory of non-child process 3144
Time & API Arguments Status Return Repeated
1619673793.884774
NtUnmapViewOfSection
process_identifier: 3144
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619673793.899774
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 3144
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (6 个事件)
Process injection Process 2196 created a thread in remote process 2504
Process injection Process 2344 created a thread in remote process 3320
Process injection Process 3748 created a thread in remote process 3220
Time & API Arguments Status Return Repeated
1619649240.447979
NtQueueApcThread
thread_handle: 0x00000110
process_identifier: 2504
function_address: 0x000b05c0
parameter: 0x00100000
success 0 0
1619673771.546633
NtQueueApcThread
thread_handle: 0x0000010c
process_identifier: 3320
function_address: 0x000f05c0
parameter: 0x00100000
success 0 0
1619673794.252813
NtQueueApcThread
thread_handle: 0x00000110
process_identifier: 3220
function_address: 0x000f05c0
parameter: 0x00100000
success 0 0
Potential code injection by writing to the memory of another process (6 个事件)
Time & API Arguments Status Return Repeated
1619649240.447979
WriteProcessMemory
process_identifier: 2504
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000108
base_address: 0x000b0000
success 1 0
1619649240.447979
WriteProcessMemory
process_identifier: 2504
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7834c8ffbaa77e689c8580832241bff3.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7834c8ffbaa77e689c8580832241bff3.exe" wapset XHxSLDlAUNdRIUH = cReaTeobjecT("wscRiPt.sHell") XhXsLDlauNDRIuH.rUn """%ls""", 0, False
process_handle: 0x00000108
base_address: 0x00100000
success 1 0
1619673771.530633
WriteProcessMemory
process_identifier: 3320
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000104
base_address: 0x000f0000
success 1 0
1619673771.530633
WriteProcessMemory
process_identifier: 3320
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exewapset XHxSLDlAUNdRIUH = cReaTeobjecT("wscRiPt.sHell") XhXsLDlauNDRIuH.rUn """%ls""", 0, False
process_handle: 0x00000104
base_address: 0x00100000
success 1 0
1619673794.252813
WriteProcessMemory
process_identifier: 3220
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000108
base_address: 0x000f0000
success 1 0
1619673794.252813
WriteProcessMemory
process_identifier: 3220
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exewapset XHxSLDlAUNdRIUH = cReaTeobjecT("wscRiPt.sHell") XhXsLDlauNDRIuH.rUn """%ls""", 0, False
process_handle: 0x00000108
base_address: 0x00100000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (8 个事件)
Process injection Process 1912 called NtSetContextThread to modify thread in remote process 624
Process injection Process 2648 called NtSetContextThread to modify thread in remote process 3172
Process injection Process 3484 called NtSetContextThread to modify thread in remote process 3904
Process injection Process 3600 called NtSetContextThread to modify thread in remote process 3144
Time & API Arguments Status Return Repeated
1619673750.619625
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 624
success 0 0
1619673769.7755
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3172
success 0 0
1619673787.290524
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3904
success 0 0
1619673793.930774
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3144
success 0 0
One or more non-safelisted processes were created (6 个事件)
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process wscript.exe martian_process cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
Resumed a suspended thread in a remote process potentially indicative of process injection (8 个事件)
Process injection Process 1912 resumed a thread in remote process 624
Process injection Process 2648 resumed a thread in remote process 3172
Process injection Process 3484 resumed a thread in remote process 3904
Process injection Process 3600 resumed a thread in remote process 3144
Time & API Arguments Status Return Repeated
1619673750.822625
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 624
success 0 0
1619673770.0255
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3172
success 0 0
1619673787.493524
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3904
success 0 0
1619673795.665774
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3144
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 58 个事件)
Time & API Arguments Status Return Repeated
1619649240.447979
CreateProcessInternalW
thread_identifier: 2260
thread_handle: 0x00000110
process_identifier: 2504
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
1619649240.447979
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1619649240.447979
NtAllocateVirtualMemory
process_identifier: 2504
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000108
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1619649240.447979
WriteProcessMemory
process_identifier: 2504
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000108
base_address: 0x000b0000
success 1 0
1619649240.447979
WriteProcessMemory
process_identifier: 2504
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7834c8ffbaa77e689c8580832241bff3.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7834c8ffbaa77e689c8580832241bff3.exe" wapset XHxSLDlAUNdRIUH = cReaTeobjecT("wscRiPt.sHell") XhXsLDlauNDRIuH.rUn """%ls""", 0, False
process_handle: 0x00000108
base_address: 0x00100000
success 1 0
1619673738.166125
CreateProcessInternalW
thread_identifier: 2764
thread_handle: 0x000000d0
process_identifier: 1912
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619673750.619625
CreateProcessInternalW
thread_identifier: 2008
thread_handle: 0x0000010c
process_identifier: 624
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619673750.619625
NtUnmapViewOfSection
process_identifier: 624
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619673750.619625
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 624
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619673750.619625
NtGetContextThread
thread_handle: 0x0000010c
success 0 0
1619673750.619625
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 624
success 0 0
1619673750.822625
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 624
success 0 0
1619673750.869625
CreateProcessInternalW
thread_identifier: 2424
thread_handle: 0x00000110
process_identifier: 2868
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe" 2 624 27711937
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619673756.83875
CreateProcessInternalW
thread_identifier: 2496
thread_handle: 0x0000019c
process_identifier: 2648
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001a0
inherit_handles: 0
success 1 0
1619673752.244625
NtResumeThread
thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 624
success 0 0
1619673752.916625
CreateProcessInternalW
thread_identifier: 1812
thread_handle: 0x00000188
process_identifier: 2284
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000214
inherit_handles: 0
success 1 0
1619673756.853625
CreateProcessInternalW
thread_identifier: 1752
thread_handle: 0x000002ac
process_identifier: 3068
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002f4
inherit_handles: 0
success 1 0
1619673769.7755
CreateProcessInternalW
thread_identifier: 3176
thread_handle: 0x0000010c
process_identifier: 3172
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619673769.7755
NtUnmapViewOfSection
process_identifier: 3172
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619673769.7755
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 3172
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619673769.7755
NtGetContextThread
thread_handle: 0x0000010c
success 0 0
1619673769.7755
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3172
success 0 0
1619673770.0255
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3172
success 0 0
1619673770.0725
CreateProcessInternalW
thread_identifier: 3236
thread_handle: 0x00000110
process_identifier: 3232
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe" 2 3172 27731140
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619673758.556
CreateProcessInternalW
thread_identifier: 1208
thread_handle: 0x00000080
process_identifier: 2344
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619673771.530633
CreateProcessInternalW
thread_identifier: 3324
thread_handle: 0x0000010c
process_identifier: 3320
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619673771.530633
NtAllocateVirtualMemory
process_identifier: 3320
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000104
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619673771.530633
NtAllocateVirtualMemory
process_identifier: 3320
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x00000104
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1619673771.530633
WriteProcessMemory
process_identifier: 3320
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x00000104
base_address: 0x000f0000
success 1 0
1619673771.530633
WriteProcessMemory
process_identifier: 3320
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exewapset XHxSLDlAUNdRIUH = cReaTeobjecT("wscRiPt.sHell") XhXsLDlauNDRIuH.rUn """%ls""", 0, False
process_handle: 0x00000104
base_address: 0x00100000
success 1 0
1619673771.243774
NtResumeThread
thread_handle: 0x000001e0
suspend_count: 1
process_identifier: 3172
success 0 0
1619673772.165774
CreateProcessInternalW
thread_identifier: 3372
thread_handle: 0x00000174
process_identifier: 3368
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\wscript.exe
track: 1
command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs"
filepath_r: C:\Windows\System32\WScript.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000188
inherit_handles: 0
success 1 0
1619673779.321274
CreateProcessInternalW
thread_identifier: 3604
thread_handle: 0x000001a0
process_identifier: 3600
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001a4
inherit_handles: 0
success 1 0
1619673773.649649
CreateProcessInternalW
thread_identifier: 3488
thread_handle: 0x000000cc
process_identifier: 3484
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000d0
inherit_handles: 0
success 1 0
1619673779.321274
CreateProcessInternalW
thread_identifier: 3588
thread_handle: 0x000002b0
process_identifier: 3584
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002f8
inherit_handles: 0
success 1 0
1619673787.290524
CreateProcessInternalW
thread_identifier: 3908
thread_handle: 0x0000010c
process_identifier: 3904
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619673787.290524
NtUnmapViewOfSection
process_identifier: 3904
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619673787.290524
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 3904
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619673787.290524
NtGetContextThread
thread_handle: 0x0000010c
success 0 0
1619673787.290524
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3904
success 0 0
1619673787.493524
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3904
success 0 0
1619673787.540524
CreateProcessInternalW
thread_identifier: 3968
thread_handle: 0x00000110
process_identifier: 3964
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe" 2 3904 27748609
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1619673793.884774
CreateProcessInternalW
thread_identifier: 3164
thread_handle: 0x0000010c
process_identifier: 3144
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\giuiggiuguhi\hgghuyguy.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000104
inherit_handles: 0
success 1 0
1619673793.884774
NtUnmapViewOfSection
process_identifier: 3144
region_size: 4096
process_handle: 0x00000104
base_address: 0x00400000
success 0 0
1619673793.899774
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 3144
commit_size: 131072
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x00000104
allocation_type: 0 ()
section_offset: 0
view_size: 131072
base_address: 0x00400000
success 0 0
1619673793.930774
NtGetContextThread
thread_handle: 0x0000010c
success 0 0
1619673793.930774
NtSetContextThread
thread_handle: 0x0000010c
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3144
success 0 0
1619673795.665774
NtResumeThread
thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 3144
success 0 0
1619673781.040524
CreateProcessInternalW
thread_identifier: 3752
thread_handle: 0x00000080
process_identifier: 3748
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
track: 1
command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000084
inherit_handles: 1
success 1 0
1619673794.252813
CreateProcessInternalW
thread_identifier: 3212
thread_handle: 0x00000110
process_identifier: 3220
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000108
inherit_handles: 0
success 1 0
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Siggen2.49330
MicroWorld-eScan Trojan.Agent.ERLI
FireEye Generic.mg.7834c8ffbaa77e68
Qihoo-360 Win32/Trojan.469
McAfee Fareit-FTB!7834C8FFBAA7
Cylance Unsafe
Sangfor Malware
CrowdStrike win/malicious_confidence_90% (W)
Alibaba Trojan:Win32/FormBook.cecc1126
K7GW Trojan ( 0056739d1 )
K7AntiVirus Trojan ( 0056739d1 )
Arcabit Trojan.Agent.ERLI
BitDefenderTheta Gen:NN.ZelphiF.34780.MGW@a4yC8Uhi
Cyren W32/Injector.ABY.gen!Eldorado
Symantec Infostealer.Lokibot
ESET-NOD32 a variant of Win32/Injector.EMHC
APEX Malicious
Avast Win32:RATX-gen [Trj]
ClamAV Win.Trojan.Generic-7899121-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.Agent.ERLI
NANO-Antivirus Trojan.Win32.NanoCore.hldros
Paloalto generic.ml
AegisLab Trojan.Win32.Kryptik.4!c
Rising Trojan.Injector!1.C6FA (CLASSIC)
Ad-Aware Trojan.Agent.ERLI
Emsisoft Trojan.Agent.ERLI (B)
Comodo Malware@#2zu77fh1sfx4i
F-Secure Trojan.TR/AD.Remcos.aalg
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition BehavesLike.Win32.Fareit.jc
Sophos Mal/Generic-R + Mal/Fareit-AA
Ikarus Trojan.Inject
Webroot W32.Injector.Gen
Avira TR/AD.Remcos.aalg
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Trojan.Win32.Wacatac.ba!s1
Microsoft Trojan:Win32/FormBook.CM!MTB
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Trojan.Agent.ERLI
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2066
Acronis suspicious
VBA32 TScope.Trojan.Delf
MAX malware (ai score=83)
Malwarebytes Trojan.MalPack.DLF
Zoner Trojan.Win32.91149
The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 个事件)
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\cmd.exe
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x46913c VirtualFree
0x469140 VirtualAlloc
0x469144 LocalFree
0x469148 LocalAlloc
0x46914c GetVersion
0x469150 GetCurrentThreadId
0x46915c VirtualQuery
0x469160 WideCharToMultiByte
0x469164 MultiByteToWideChar
0x469168 lstrlenA
0x46916c lstrcpynA
0x469170 LoadLibraryExA
0x469174 GetThreadLocale
0x469178 GetStartupInfoA
0x46917c GetProcAddress
0x469180 GetModuleHandleA
0x469184 GetModuleFileNameA
0x469188 GetLocaleInfoA
0x46918c GetCommandLineA
0x469190 FreeLibrary
0x469194 FindFirstFileA
0x469198 FindClose
0x46919c ExitProcess
0x4691a0 WriteFile
0x4691a8 RtlUnwind
0x4691ac RaiseException
0x4691b0 GetStdHandle
Library user32.dll:
0x4691b8 GetKeyboardType
0x4691bc LoadStringA
0x4691c0 MessageBoxA
0x4691c4 CharNextA
Library advapi32.dll:
0x4691cc RegQueryValueExA
0x4691d0 RegOpenKeyExA
0x4691d4 RegCloseKey
Library oleaut32.dll:
0x4691dc SysFreeString
0x4691e0 SysReAllocStringLen
0x4691e4 SysAllocStringLen
Library kernel32.dll:
0x4691ec TlsSetValue
0x4691f0 TlsGetValue
0x4691f4 LocalAlloc
0x4691f8 GetModuleHandleA
Library advapi32.dll:
0x469200 RegQueryValueExA
0x469204 RegOpenKeyExA
0x469208 RegCloseKey
Library kernel32.dll:
0x469210 lstrcpyA
0x469214 WriteFile
0x46921c WaitForSingleObject
0x469220 VirtualQuery
0x469224 VirtualAlloc
0x469228 Sleep
0x46922c SizeofResource
0x469230 SetThreadLocale
0x469234 SetFilePointer
0x469238 SetEvent
0x46923c SetErrorMode
0x469240 SetEndOfFile
0x469244 ResetEvent
0x469248 ReadFile
0x46924c MulDiv
0x469250 LockResource
0x469254 LoadResource
0x469258 LoadLibraryA
0x469264 GlobalUnlock
0x469268 GlobalReAlloc
0x46926c GlobalHandle
0x469270 GlobalLock
0x469274 GlobalFree
0x469278 GlobalFindAtomA
0x46927c GlobalDeleteAtom
0x469280 GlobalAlloc
0x469284 GlobalAddAtomA
0x469288 GetVersionExA
0x46928c GetVersion
0x469290 GetTickCount
0x469294 GetThreadLocale
0x46929c GetSystemTime
0x4692a0 GetSystemInfo
0x4692a4 GetStringTypeExA
0x4692a8 GetStdHandle
0x4692ac GetProcAddress
0x4692b0 GetModuleHandleA
0x4692b4 GetModuleFileNameA
0x4692b8 GetLocaleInfoA
0x4692bc GetLocalTime
0x4692c0 GetLastError
0x4692c4 GetFullPathNameA
0x4692c8 GetFileAttributesA
0x4692cc GetDiskFreeSpaceA
0x4692d0 GetDateFormatA
0x4692d4 GetCurrentThreadId
0x4692d8 GetCurrentProcessId
0x4692dc GetCPInfo
0x4692e0 GetACP
0x4692e4 FreeResource
0x4692e8 InterlockedExchange
0x4692ec FreeLibrary
0x4692f0 FormatMessageA
0x4692f4 FindResourceA
0x4692f8 FindFirstFileA
0x4692fc FindClose
0x469308 ExitThread
0x46930c EnumCalendarInfoA
0x469318 CreateThread
0x46931c CreateFileA
0x469320 CreateEventA
0x469324 CompareStringA
0x469328 CloseHandle
Library version.dll:
0x469330 VerQueryValueA
0x469338 GetFileVersionInfoA
Library gdi32.dll:
0x469340 UnrealizeObject
0x469344 StretchBlt
0x469348 SetWindowOrgEx
0x46934c SetWinMetaFileBits
0x469350 SetViewportOrgEx
0x469354 SetTextColor
0x469358 SetStretchBltMode
0x46935c SetROP2
0x469360 SetPixel
0x469364 SetEnhMetaFileBits
0x469368 SetDIBColorTable
0x46936c SetBrushOrgEx
0x469370 SetBkMode
0x469374 SetBkColor
0x469378 SelectPalette
0x46937c SelectObject
0x469380 SaveDC
0x469384 RestoreDC
0x469388 Rectangle
0x46938c RectVisible
0x469390 RealizePalette
0x469394 PtVisible
0x469398 Polyline
0x46939c PlayEnhMetaFile
0x4693a0 PatBlt
0x4693a4 MoveToEx
0x4693a8 MaskBlt
0x4693ac LineTo
0x4693b0 IntersectClipRect
0x4693b4 GetWindowOrgEx
0x4693b8 GetWinMetaFileBits
0x4693bc GetTextMetricsA
0x4693c8 GetStockObject
0x4693cc GetPixel
0x4693d0 GetPaletteEntries
0x4693d4 GetObjectA
0x4693e0 GetEnhMetaFileBits
0x4693e4 GetDeviceCaps
0x4693e8 GetDIBits
0x4693ec GetDIBColorTable
0x4693f0 GetDCOrgEx
0x4693f8 GetClipBox
0x4693fc GetBrushOrgEx
0x469400 GetBitmapBits
0x469404 ExcludeClipRect
0x469408 DeleteObject
0x46940c DeleteEnhMetaFile
0x469410 DeleteDC
0x469414 CreateSolidBrush
0x469418 CreatePenIndirect
0x46941c CreatePen
0x469420 CreatePalette
0x469428 CreateFontIndirectA
0x46942c CreateDIBitmap
0x469430 CreateDIBSection
0x469434 CreateCompatibleDC
0x46943c CreateBrushIndirect
0x469440 CreateBitmap
0x469444 CopyEnhMetaFileA
0x469448 BitBlt
Library user32.dll:
0x469450 CreateWindowExA
0x469454 WindowFromPoint
0x469458 WinHelpA
0x46945c WaitMessage
0x469460 ValidateRect
0x469464 UpdateWindow
0x469468 UnregisterClassA
0x46946c UnhookWindowsHookEx
0x469470 TranslateMessage
0x469478 TrackPopupMenu
0x469480 ShowWindow
0x469484 ShowScrollBar
0x469488 ShowOwnedPopups
0x46948c ShowCursor
0x469490 SetWindowsHookExA
0x469494 SetWindowTextA
0x469498 SetWindowPos
0x46949c SetWindowPlacement
0x4694a0 SetWindowLongA
0x4694a4 SetTimer
0x4694a8 SetScrollRange
0x4694ac SetScrollPos
0x4694b0 SetScrollInfo
0x4694b4 SetRect
0x4694b8 SetPropA
0x4694bc SetParent
0x4694c0 SetMenuItemInfoA
0x4694c4 SetMenu
0x4694c8 SetForegroundWindow
0x4694cc SetFocus
0x4694d0 SetCursor
0x4694d4 SetClassLongA
0x4694d8 SetCapture
0x4694dc SetActiveWindow
0x4694e0 SendMessageA
0x4694e4 ScrollWindow
0x4694e8 ScreenToClient
0x4694ec RemovePropA
0x4694f0 RemoveMenu
0x4694f4 ReleaseDC
0x4694f8 ReleaseCapture
0x469504 RegisterClassA
0x469508 RedrawWindow
0x46950c PtInRect
0x469510 PostQuitMessage
0x469514 PostMessageA
0x469518 PeekMessageA
0x46951c OffsetRect
0x469520 OemToCharA
0x469524 MessageBoxA
0x469528 MapWindowPoints
0x46952c MapVirtualKeyA
0x469530 LoadStringA
0x469534 LoadKeyboardLayoutA
0x469538 LoadIconA
0x46953c LoadCursorA
0x469540 LoadBitmapA
0x469544 KillTimer
0x469548 IsZoomed
0x46954c IsWindowVisible
0x469550 IsWindowEnabled
0x469554 IsWindow
0x469558 IsRectEmpty
0x46955c IsIconic
0x469560 IsDialogMessageA
0x469564 IsChild
0x469568 InvalidateRect
0x46956c IntersectRect
0x469570 InsertMenuItemA
0x469574 InsertMenuA
0x469578 InflateRect
0x469580 GetWindowTextA
0x469584 GetWindowRect
0x469588 GetWindowPlacement
0x46958c GetWindowLongA
0x469590 GetWindowDC
0x469594 GetTopWindow
0x469598 GetSystemMetrics
0x46959c GetSystemMenu
0x4695a0 GetSysColorBrush
0x4695a4 GetSysColor
0x4695a8 GetSubMenu
0x4695ac GetScrollRange
0x4695b0 GetScrollPos
0x4695b4 GetScrollInfo
0x4695b8 GetPropA
0x4695bc GetParent
0x4695c0 GetWindow
0x4695c4 GetMenuStringA
0x4695c8 GetMenuState
0x4695cc GetMenuItemInfoA
0x4695d0 GetMenuItemID
0x4695d4 GetMenuItemCount
0x4695d8 GetMenu
0x4695dc GetLastActivePopup
0x4695e0 GetKeyboardState
0x4695e8 GetKeyboardLayout
0x4695ec GetKeyState
0x4695f0 GetKeyNameTextA
0x4695f4 GetIconInfo
0x4695f8 GetForegroundWindow
0x4695fc GetFocus
0x469600 GetDlgItem
0x469604 GetDesktopWindow
0x469608 GetDCEx
0x46960c GetDC
0x469610 GetCursorPos
0x469614 GetCursor
0x469618 GetClipboardData
0x46961c GetClientRect
0x469620 GetClassNameA
0x469624 GetClassInfoA
0x469628 GetCapture
0x46962c GetActiveWindow
0x469630 FrameRect
0x469634 FindWindowA
0x469638 FillRect
0x46963c EqualRect
0x469640 EnumWindows
0x469644 EnumThreadWindows
0x469648 EndPaint
0x46964c EnableWindow
0x469650 EnableScrollBar
0x469654 EnableMenuItem
0x469658 DrawTextA
0x46965c DrawMenuBar
0x469660 DrawIconEx
0x469664 DrawIcon
0x469668 DrawFrameControl
0x46966c DrawEdge
0x469670 DispatchMessageA
0x469674 DestroyWindow
0x469678 DestroyMenu
0x46967c DestroyIcon
0x469680 DestroyCursor
0x469684 DeleteMenu
0x469688 DefWindowProcA
0x46968c DefMDIChildProcA
0x469690 DefFrameProcA
0x469694 CreatePopupMenu
0x469698 CreateMenu
0x46969c CreateIcon
0x4696a0 ClientToScreen
0x4696a4 CheckMenuItem
0x4696a8 CallWindowProcA
0x4696ac CallNextHookEx
0x4696b0 BeginPaint
0x4696b4 CharNextA
0x4696b8 CharLowerBuffA
0x4696bc CharLowerA
0x4696c0 CharToOemA
0x4696c4 AdjustWindowRectEx
Library kernel32.dll:
0x4696d0 Sleep
Library oleaut32.dll:
0x4696d8 SafeArrayPtrOfIndex
0x4696dc SafeArrayGetUBound
0x4696e0 SafeArrayGetLBound
0x4696e4 SafeArrayCreate
0x4696e8 VariantChangeType
0x4696ec VariantCopy
0x4696f0 VariantClear
0x4696f4 VariantInit
Library comctl32.dll:
0x469704 ImageList_Write
0x469708 ImageList_Read
0x469718 ImageList_DragMove
0x46971c ImageList_DragLeave
0x469720 ImageList_DragEnter
0x469724 ImageList_EndDrag
0x469728 ImageList_BeginDrag
0x46972c ImageList_Remove
0x469730 ImageList_DrawEx
0x469734 ImageList_Replace
0x469738 ImageList_Draw
0x469748 ImageList_Add
0x469750 ImageList_Destroy
0x469754 ImageList_Create
0x469758 InitCommonControls
Library comdlg32.dll:
0x469760 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702
192.168.56.101 65005 239.255.255.250 3702
192.168.56.101 65007 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.