11.6
0-day
57 个模型检测该样本为恶意!
重新分析
更多

3d604878a1a81c85be92fc830d195e4503cf17c9e8cd3e6778e2f4c3cf14c83c

8d3726d6d462489bbec8033b0efa5d71.exe

分析耗时

100s

最近分析

文件大小

930.0KB
静态报毒 动态报毒 6GW@ASBSV0GI AI SCORE=88 AIDETECT ALI2000015 AUTO AUTOG AUTOIT CLOUD CONFIDENCE DATASTEALER DELF DELFINJECT DELPHILESS EMVB EMVM FAREIT GENERICKDZ GENERICRXLP GRANDSTEALNET GVLA HIGH CONFIDENCE HPRNFS HWUBQQSA KCLOUD MALWARE1 MALWARE@#3BPKI4LL0KFVT OFUYC S + TROJ SAVE SCORE STATIC AI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE X2094 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXLP-FB!8D3726D6D462 20210310 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20210310 21.1.5827.0
Tencent Win32.Trojan.Inject.Auto 20210310 1.0.0.1
Kingsoft Win32.Troj.Generic_a.a.(kcloud) 20210310 2017.9.26.565
CrowdStrike win/malicious_confidence_90% (D) 20210203 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (12 个事件)
Time & API Arguments Status Return Repeated
1619690085.902876
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75114b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75115d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff46148d
success 0 0
1619690093.856249
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751c4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751c5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3f148d
success 0 0
1619690098.902374
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdbc148d
success 0 0
1619690105.668001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdbb148d
success 0 0
1619690110.621626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfddf148d
success 0 0
1619690115.106626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 180
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd94148d
success 0 0
1619690119.606001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4d148d
success 0 0
1619690123.668249
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5b148d
success 0 0
1619690126.996124
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb3148d
success 0 0
1619690133.996626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd91148d
success 0 0
1619690139.137249
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdd9148d
success 0 0
1619690143.840001
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
ghjkzxijdk+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751c4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751c5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff4f148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 378 个事件)
Time & API Arguments Status Return Repeated
1619686131.639212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d0000
success 0 0
1619686131.811212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f10000
success 0 0
1619686131.827212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f30000
success 0 0
1619690083.793876
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01e00000
success 0 0
1619690083.840876
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e30000
success 0 0
1619690083.840876
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e60000
success 0 0
1619690084.527876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619690084.637876
NtAllocateVirtualMemory
process_identifier: 520
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f10000
success 0 0
1619690084.637876
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02010000
success 0 0
1619690084.637876
NtAllocateVirtualMemory
process_identifier: 520
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f10000
success 0 0
1619690084.652876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f12000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.731876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619690085.746876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.746876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619690085.746876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.746876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619690085.746876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01f02000
success 0 0
1619690085.746876
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619690084.699001
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1619690084.715001
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f50000
success 0 0
1619690084.715001
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f80000
success 0 0
1619690092.324249
NtAllocateVirtualMemory
process_identifier: 3324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619690092.590249
NtAllocateVirtualMemory
process_identifier: 3324
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619690092.621249
NtAllocateVirtualMemory
process_identifier: 3324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619690093.777249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619690093.793249
NtAllocateVirtualMemory
process_identifier: 3392
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f40000
success 0 0
1619690093.793249
NtAllocateVirtualMemory
process_identifier: 3392
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f80000
success 0 0
1619690093.793249
NtAllocateVirtualMemory
process_identifier: 3392
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01fc0000
success 0 0
1619690093.793249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01fc2000
success 0 0
1619690093.840249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e92000
success 0 0
1619690093.840249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1619690093.840249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e92000
success 0 0
1619690093.840249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1619690093.840249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e92000
success 0 0
1619690093.840249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1619690093.840249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01e92000
success 0 0
1619690093.840249
NtProtectVirtualMemory
process_identifier: 3392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (50 out of 72 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.626069043672774 section {'size_of_data': '0x0006ce00', 'virtual_address': '0x00082000', 'entropy': 7.626069043672774, 'name': '.rsrc', 'virtual_size': '0x0006cc7c'} description A section with a high entropy has been found
entropy 0.468783638320775 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process ghjkzxijdk.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (38 个事件)
Time & API Arguments Status Return Repeated
1619686131.843212
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000000f4
process_identifier: 2864
failed 0 0
1619690083.840876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 428
failed 0 0
1619690084.777001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3204
failed 0 0
1619690091.871001
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x0000019c
process_identifier: 3132
failed 0 0
1619690092.637249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3380
failed 0 0
1619690094.324001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3560
failed 0 0
1619690096.590001
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x00000130
process_identifier: 3464
failed 0 0
1619690097.465876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3632
failed 0 0
1619690099.402374
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3788
failed 0 0
1619690103.137374
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x00000164
process_identifier: 3708
failed 0 0
1619690104.012499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3876
failed 0 0
1619690106.527249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 4048
failed 0 0
1619690107.590249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000010c
process_identifier: 4048
failed 0 0
1619690108.184876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3112
failed 0 0
1619690111.340751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 324
failed 0 0
1619690112.340751
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x00000110
process_identifier: 2868
failed 0 0
1619690113.106751
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x000000f4
process_identifier: 2860
failed 0 0
1619690115.512001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3556
failed 0 0
1619690116.965001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x0000011c
process_identifier: 920
failed 0 0
1619690118.184876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3664
failed 0 0
1619690120.402876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3912
failed 0 0
1619690121.777876
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x00000114
process_identifier: 3580
failed 0 0
1619690122.621001
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3996
failed 0 0
1619690124.137751
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3884
failed 0 0
1619690125.434751
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x00000118
process_identifier: 4072
failed 0 0
1619690126.121626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2864
failed 0 0
1619690128.590876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2856
failed 0 0
1619690131.324876
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x00000130
process_identifier: 4064
failed 0 0
1619690132.356249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3700
failed 0 0
1619690134.496499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3684
failed 0 0
1619690136.809499
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x0000011c
process_identifier: 3836
failed 0 0
1619690137.699501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3172
failed 0 0
1619690139.402249
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2516
failed 0 0
1619690142.059249
Process32NextW
process_name: ghjkzxijdk.exe
snapshot_handle: 0x0000013c
process_identifier: 3116
failed 0 0
1619690142.637876
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2344
failed 0 0
1619690144.543499
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3972
failed 0 0
1619690146.590499
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x0000012c
process_identifier: 4080
failed 0 0
1619690147.371501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 472
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1619686132.561212
NtAllocateVirtualMemory
process_identifier: 1432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
Manipulates memory of a non-child process indicative of process injection (3 个事件)
Process injection Process 3356 manipulating memory of non-child process 3124
Time & API Arguments Status Return Repeated
1619690147.949501
NtUnmapViewOfSection
process_identifier: 3124
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619690147.965501
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3124
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 732 created a thread in remote process 1432
Time & API Arguments Status Return Repeated
1619686132.561212
NtQueueApcThread
thread_handle: 0x00000104
process_identifier: 1432
function_address: 0x000f05c0
parameter: 0x00100000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1619686132.561212
WriteProcessMemory
process_identifier: 1432
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000f0000
success 1 0
1619686132.561212
WriteProcessMemory
process_identifier: 1432
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8d3726d6d462489bbec8033b0efa5d71.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8d3726d6d462489bbec8033b0efa5d71.exe" webSet VovJJ = CrEATeobJect("wscrIpt.Shell") vOvjJ.rUn """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x00100000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (26 个事件)
Process injection Process 2760 called NtSetContextThread to modify thread in remote process 520
Process injection Process 3324 called NtSetContextThread to modify thread in remote process 3392
Process injection Process 3576 called NtSetContextThread to modify thread in remote process 3644
Process injection Process 3820 called NtSetContextThread to modify thread in remote process 3896
Process injection Process 4060 called NtSetContextThread to modify thread in remote process 3100
Process injection Process 2860 called NtSetContextThread to modify thread in remote process 1948
Process injection Process 3508 called NtSetContextThread to modify thread in remote process 3688
Process injection Process 3928 called NtSetContextThread to modify thread in remote process 4008
Process injection Process 3128 called NtSetContextThread to modify thread in remote process 2544
Process injection Process 3544 called NtSetContextThread to modify thread in remote process 2632
Process injection Process 4024 called NtSetContextThread to modify thread in remote process 2956
Process injection Process 2364 called NtSetContextThread to modify thread in remote process 2228
Process injection Process 3356 called NtSetContextThread to modify thread in remote process 3124
Time & API Arguments Status Return Repeated
1619690084.027876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 520
success 0 0
1619690092.871249
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3392
success 0 0
1619690097.699876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3644
success 0 0
1619690104.559499
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3896
success 0 0
1619690109.340876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3100
success 0 0
1619690113.871751
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1948
success 0 0
1619690118.606876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3688
success 0 0
1619690122.809001
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4008
success 0 0
1619690126.324626
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2544
success 0 0
1619690132.793249
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2632
success 0 0
1619690138.059501
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2956
success 0 0
1619690142.840876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2228
success 0 0
1619690148.074501
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3124
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (26 个事件)
Process injection Process 2760 resumed a thread in remote process 520
Process injection Process 3324 resumed a thread in remote process 3392
Process injection Process 3576 resumed a thread in remote process 3644
Process injection Process 3820 resumed a thread in remote process 3896
Process injection Process 4060 resumed a thread in remote process 3100
Process injection Process 2860 resumed a thread in remote process 1948
Process injection Process 3508 resumed a thread in remote process 3688
Process injection Process 3928 resumed a thread in remote process 4008
Process injection Process 3128 resumed a thread in remote process 2544
Process injection Process 3544 resumed a thread in remote process 2632
Process injection Process 4024 resumed a thread in remote process 2956
Process injection Process 2364 resumed a thread in remote process 2228
Process injection Process 3356 resumed a thread in remote process 3124
Time & API Arguments Status Return Repeated
1619690084.293876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 520
success 0 0
1619690093.481249
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3392
success 0 0
1619690098.387876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3644
success 0 0
1619690105.387499
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3896
success 0 0
1619690109.918876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3100
success 0 0
1619690114.231751
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 1948
success 0 0
1619690119.012876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3688
success 0 0
1619690123.059001
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 4008
success 0 0
1619690126.621626
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2544
success 0 0
1619690133.512249
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2632
success 0 0
1619690138.606501
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2956
success 0 0
1619690143.121876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2228
success 0 0
1619690149.168501
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3124
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 108 个事件)
Time & API Arguments Status Return Repeated
1619686132.561212
CreateProcessInternalW
thread_identifier: 2996
thread_handle: 0x00000104
process_identifier: 1432
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619686132.561212
NtAllocateVirtualMemory
process_identifier: 1432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619686132.561212
NtAllocateVirtualMemory
process_identifier: 1432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1619686132.561212
WriteProcessMemory
process_identifier: 1432
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000f0000
success 1 0
1619686132.561212
WriteProcessMemory
process_identifier: 1432
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8d3726d6d462489bbec8033b0efa5d71.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8d3726d6d462489bbec8033b0efa5d71.exe" webSet VovJJ = CrEATeobJect("wscrIpt.Shell") vOvjJ.rUn """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x00100000
success 1 0
1619686132.880384
CreateProcessInternalW
thread_identifier: 2636
thread_handle: 0x000000d0
process_identifier: 2760
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1619690083.965876
CreateProcessInternalW
thread_identifier: 2440
thread_handle: 0x00000104
process_identifier: 520
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619690083.965876
NtUnmapViewOfSection
process_identifier: 520
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619690083.981876
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 520
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619690084.027876
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619690084.027876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 520
success 0 0
1619690084.293876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 520
success 0 0
1619690084.402876
CreateProcessInternalW
thread_identifier: 3136
thread_handle: 0x00000108
process_identifier: 3132
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe" 2 520 33688062
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619690092.059001
CreateProcessInternalW
thread_identifier: 3328
thread_handle: 0x000001a0
process_identifier: 3324
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001a4
inherit_handles: 0
success 1 0
1619690092.731249
CreateProcessInternalW
thread_identifier: 3396
thread_handle: 0x00000104
process_identifier: 3392
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619690092.731249
NtUnmapViewOfSection
process_identifier: 3392
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619690092.762249
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3392
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619690092.871249
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619690092.871249
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3392
success 0 0
1619690093.481249
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3392
success 0 0
1619690093.762249
CreateProcessInternalW
thread_identifier: 3468
thread_handle: 0x00000108
process_identifier: 3464
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe" 2 3392 33697265
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619690096.793001
CreateProcessInternalW
thread_identifier: 3580
thread_handle: 0x00000134
process_identifier: 3576
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000138
inherit_handles: 0
success 1 0
1619690097.652876
CreateProcessInternalW
thread_identifier: 3648
thread_handle: 0x00000104
process_identifier: 3644
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619690097.652876
NtUnmapViewOfSection
process_identifier: 3644
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619690097.668876
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3644
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619690097.699876
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619690097.699876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3644
success 0 0
1619690098.387876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3644
success 0 0
1619690098.824876
CreateProcessInternalW
thread_identifier: 3712
thread_handle: 0x00000108
process_identifier: 3708
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe" 2 3644 33702156
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619690103.324374
CreateProcessInternalW
thread_identifier: 3824
thread_handle: 0x00000168
process_identifier: 3820
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x0000016c
inherit_handles: 0
success 1 0
1619690104.356499
CreateProcessInternalW
thread_identifier: 3900
thread_handle: 0x00000104
process_identifier: 3896
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619690104.356499
NtUnmapViewOfSection
process_identifier: 3896
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619690104.402499
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3896
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619690104.559499
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619690104.559499
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3896
success 0 0
1619690105.387499
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3896
success 0 0
1619690105.684499
CreateProcessInternalW
thread_identifier: 3960
thread_handle: 0x00000108
process_identifier: 3956
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe" 2 3896 33709156
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619690107.746249
CreateProcessInternalW
thread_identifier: 4064
thread_handle: 0x00000110
process_identifier: 4060
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000114
inherit_handles: 0
success 1 0
1619690109.137876
CreateProcessInternalW
thread_identifier: 3124
thread_handle: 0x00000104
process_identifier: 3100
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619690109.137876
NtUnmapViewOfSection
process_identifier: 3100
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619690109.168876
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3100
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619690109.340876
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1619690109.340876
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503072
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3100
success 0 0
1619690109.918876
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3100
success 0 0
1619690110.637876
CreateProcessInternalW
thread_identifier: 2856
thread_handle: 0x00000108
process_identifier: 2868
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe" 2 3100 33713687
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619690112.715751
CreateProcessInternalW
thread_identifier: 2632
thread_handle: 0x00000114
process_identifier: 2860
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1619690113.777751
CreateProcessInternalW
thread_identifier: 1888
thread_handle: 0x00000104
process_identifier: 1948
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\ghjkzxijdk.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1619690113.777751
NtUnmapViewOfSection
process_identifier: 1948
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1619690113.793751
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 1948
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1619690113.871751
NtGetContextThread
thread_handle: 0x00000104
success 0 0
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69162
FireEye Generic.mg.8d3726d6d462489b
McAfee GenericRXLP-FB!8D3726D6D462
Cylance Unsafe
Zillya Trojan.Crypt.Win32.64238
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0056baa21 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056baa21 )
Cybereason malicious.6d4624
Arcabit Trojan.Generic.D10E2A
Cyren W32/Trojan.GVLA-5171
Symantec Trojan.Gen.MBT
APEX Malicious
Avast Win32:Trojan-gen
Kaspersky HEUR:Trojan.Win32.Crypt.gen
BitDefender Trojan.GenericKDZ.69162
NANO-Antivirus Trojan.Win32.Crypt.hprnfs
Paloalto generic.ml
AegisLab Trojan.Win32.Crypt.4!c
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKDZ.69162
Sophos Mal/Generic-S + Troj/AutoG-IR
Comodo Malware@#3bpki4ll0kfvt
F-Secure Trojan.TR/Injector.ofuyc
DrWeb Trojan.PWS.GrandStealNET.2
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Fareit.dc
Emsisoft Trojan.GenericKDZ.69162 (B)
Ikarus Trojan-Dropper.Win32.Autoit
ESET-NOD32 a variant of Win32/Injector.EMVB
MaxSecure Trojan.Malware.300983.susgen
Avira TR/Injector.ofuyc
MAX malware (ai score=88)
Antiy-AVL Trojan/Win32.Crypt
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft Trojan.Win32.Packed.oa
Microsoft Trojan:Win32/DataStealer.VD!MTB
ZoneAlarm HEUR:Trojan.Win32.Crypt.gen
GData Trojan.GenericKDZ.69162
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2094
Acronis suspicious
BitDefenderTheta Gen:NN.ZelphiF.34608.6GW@aSBsv0gi
ALYac Trojan.GenericKDZ.69162
VBA32 TScope.Trojan.Delf
Malwarebytes Trojan.MalPack.DLF
Rising Trojan.Injector!1.C99D (CLOUD)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x47513c VirtualFree
0x475140 VirtualAlloc
0x475144 LocalFree
0x475148 LocalAlloc
0x47514c GetVersion
0x475150 GetCurrentThreadId
0x47515c VirtualQuery
0x475160 WideCharToMultiByte
0x475164 MultiByteToWideChar
0x475168 lstrlenA
0x47516c lstrcpynA
0x475170 LoadLibraryExA
0x475174 GetThreadLocale
0x475178 GetStartupInfoA
0x47517c GetProcAddress
0x475180 GetModuleHandleA
0x475184 GetModuleFileNameA
0x475188 GetLocaleInfoA
0x47518c GetCommandLineA
0x475190 FreeLibrary
0x475194 FindFirstFileA
0x475198 FindClose
0x47519c ExitProcess
0x4751a0 WriteFile
0x4751a8 RtlUnwind
0x4751ac RaiseException
0x4751b0 GetStdHandle
Library user32.dll:
0x4751b8 GetKeyboardType
0x4751bc LoadStringA
0x4751c0 MessageBoxA
0x4751c4 CharNextA
Library advapi32.dll:
0x4751cc RegQueryValueExA
0x4751d0 RegOpenKeyExA
0x4751d4 RegCloseKey
Library oleaut32.dll:
0x4751dc SysFreeString
0x4751e0 SysReAllocStringLen
0x4751e4 SysAllocStringLen
Library kernel32.dll:
0x4751ec TlsSetValue
0x4751f0 TlsGetValue
0x4751f4 LocalAlloc
0x4751f8 GetModuleHandleA
Library advapi32.dll:
0x475200 RegQueryValueExA
0x475204 RegOpenKeyExA
0x475208 RegCloseKey
Library kernel32.dll:
0x475210 lstrcpyA
0x475214 WriteFile
0x475218 WaitForSingleObject
0x47521c VirtualQuery
0x475220 VirtualAlloc
0x475224 Sleep
0x475228 SizeofResource
0x47522c SetThreadLocale
0x475230 SetFilePointer
0x475234 SetEvent
0x475238 SetErrorMode
0x47523c SetEndOfFile
0x475240 ResetEvent
0x475244 ReadFile
0x475248 MulDiv
0x47524c LockResource
0x475250 LoadResource
0x475254 LoadLibraryA
0x475260 GlobalUnlock
0x475264 GlobalReAlloc
0x475268 GlobalHandle
0x47526c GlobalLock
0x475270 GlobalFree
0x475274 GlobalFindAtomA
0x475278 GlobalDeleteAtom
0x47527c GlobalAlloc
0x475280 GlobalAddAtomA
0x475284 GetVersionExA
0x475288 GetVersion
0x47528c GetTickCount
0x475290 GetThreadLocale
0x475294 GetSystemInfo
0x475298 GetStringTypeExA
0x47529c GetStdHandle
0x4752a0 GetProcAddress
0x4752a4 GetModuleHandleA
0x4752a8 GetModuleFileNameA
0x4752ac GetLocaleInfoA
0x4752b0 GetLocalTime
0x4752b4 GetLastError
0x4752b8 GetFullPathNameA
0x4752bc GetFileAttributesA
0x4752c0 GetDiskFreeSpaceA
0x4752c4 GetDateFormatA
0x4752c8 GetCurrentThreadId
0x4752cc GetCurrentProcessId
0x4752d0 GetCPInfo
0x4752d4 GetACP
0x4752d8 FreeResource
0x4752dc InterlockedExchange
0x4752e0 FreeLibrary
0x4752e4 FormatMessageA
0x4752e8 FindResourceA
0x4752ec FindFirstFileA
0x4752f0 FindClose
0x4752fc EnumCalendarInfoA
0x475308 CreateThread
0x47530c CreateFileA
0x475310 CreateEventA
0x475314 CompareStringA
0x475318 CloseHandle
Library version.dll:
0x475320 VerQueryValueA
0x475328 GetFileVersionInfoA
Library gdi32.dll:
0x475330 UnrealizeObject
0x475334 StretchBlt
0x475338 SetWindowOrgEx
0x47533c SetWinMetaFileBits
0x475340 SetViewportOrgEx
0x475344 SetTextColor
0x475348 SetStretchBltMode
0x47534c SetROP2
0x475350 SetPixel
0x475354 SetEnhMetaFileBits
0x475358 SetDIBColorTable
0x47535c SetColorSpace
0x475360 SetBrushOrgEx
0x475364 SetBkMode
0x475368 SetBkColor
0x47536c SelectPalette
0x475370 SelectObject
0x475374 SaveDC
0x475378 RestoreDC
0x47537c Rectangle
0x475380 RectVisible
0x475384 RealizePalette
0x475388 Polyline
0x47538c PlayEnhMetaFile
0x475390 PatBlt
0x475394 MoveToEx
0x475398 MaskBlt
0x47539c LineTo
0x4753a0 IntersectClipRect
0x4753a4 GetWindowOrgEx
0x4753a8 GetWinMetaFileBits
0x4753ac GetTextMetricsA
0x4753b8 GetStockObject
0x4753bc GetPixel
0x4753c0 GetPaletteEntries
0x4753c4 GetObjectA
0x4753d0 GetEnhMetaFileBits
0x4753d4 GetDeviceCaps
0x4753d8 GetDIBits
0x4753dc GetDIBColorTable
0x4753e0 GetDCOrgEx
0x4753e8 GetClipBox
0x4753ec GetBrushOrgEx
0x4753f0 GetBitmapBits
0x4753f4 ExcludeClipRect
0x4753f8 DeleteObject
0x4753fc DeleteEnhMetaFile
0x475400 DeleteDC
0x475404 CreateSolidBrush
0x475408 CreatePenIndirect
0x47540c CreatePalette
0x475414 CreateFontIndirectA
0x475418 CreateDIBitmap
0x47541c CreateDIBSection
0x475420 CreateCompatibleDC
0x475428 CreateBrushIndirect
0x47542c CreateBitmap
0x475430 CopyEnhMetaFileA
0x475434 BitBlt
Library user32.dll:
0x47543c CreateWindowExA
0x475440 WindowFromPoint
0x475444 WinHelpA
0x475448 WaitMessage
0x47544c UpdateWindow
0x475450 UnregisterClassA
0x475454 UnhookWindowsHookEx
0x475458 TranslateMessage
0x475460 TrackPopupMenu
0x475468 ShowWindow
0x47546c ShowScrollBar
0x475470 ShowOwnedPopups
0x475474 ShowCursor
0x475478 SetWindowsHookExA
0x47547c SetWindowTextA
0x475480 SetWindowPos
0x475484 SetWindowPlacement
0x475488 SetWindowLongA
0x47548c SetTimer
0x475490 SetScrollRange
0x475494 SetScrollPos
0x475498 SetScrollInfo
0x47549c SetRect
0x4754a0 SetPropA
0x4754a4 SetParent
0x4754a8 SetMenuItemInfoA
0x4754ac SetMenu
0x4754b0 SetForegroundWindow
0x4754b4 SetFocus
0x4754b8 SetCursor
0x4754bc SetClassLongA
0x4754c0 SetCapture
0x4754c4 SetActiveWindow
0x4754c8 SendMessageA
0x4754cc ScrollWindow
0x4754d0 ScreenToClient
0x4754d4 RemovePropA
0x4754d8 RemoveMenu
0x4754dc ReleaseDC
0x4754e0 ReleaseCapture
0x4754ec RegisterClassA
0x4754f0 RedrawWindow
0x4754f4 PtInRect
0x4754f8 PostQuitMessage
0x4754fc PostMessageA
0x475500 PeekMessageA
0x475504 OffsetRect
0x475508 OemToCharA
0x47550c MessageBoxA
0x475510 MessageBeep
0x475514 MapWindowPoints
0x475518 MapVirtualKeyA
0x47551c LoadStringA
0x475520 LoadKeyboardLayoutA
0x475524 LoadIconA
0x475528 LoadCursorA
0x47552c LoadBitmapA
0x475530 KillTimer
0x475534 IsZoomed
0x475538 IsWindowVisible
0x47553c IsWindowEnabled
0x475540 IsWindow
0x475544 IsRectEmpty
0x475548 IsIconic
0x47554c IsDialogMessageA
0x475550 IsChild
0x475554 InvalidateRect
0x475558 IntersectRect
0x47555c InsertMenuItemA
0x475560 InsertMenuA
0x475564 InflateRect
0x47556c GetWindowTextA
0x475570 GetWindowRect
0x475574 GetWindowPlacement
0x475578 GetWindowLongA
0x47557c GetWindowDC
0x475580 GetTopWindow
0x475584 GetSystemMetrics
0x475588 GetSystemMenu
0x47558c GetSysColorBrush
0x475590 GetSysColor
0x475594 GetSubMenu
0x475598 GetScrollRange
0x47559c GetScrollPos
0x4755a0 GetScrollInfo
0x4755a4 GetPropA
0x4755a8 GetParent
0x4755ac GetWindow
0x4755b0 GetMenuStringA
0x4755b4 GetMenuState
0x4755b8 GetMenuItemInfoA
0x4755bc GetMenuItemID
0x4755c0 GetMenuItemCount
0x4755c4 GetMenu
0x4755c8 GetLastActivePopup
0x4755cc GetKeyboardState
0x4755d4 GetKeyboardLayout
0x4755d8 GetKeyState
0x4755dc GetKeyNameTextA
0x4755e0 GetIconInfo
0x4755e4 GetForegroundWindow
0x4755e8 GetFocus
0x4755ec GetDlgItem
0x4755f0 GetDesktopWindow
0x4755f4 GetDCEx
0x4755f8 GetDC
0x4755fc GetCursorPos
0x475600 GetCursor
0x475604 GetClipboardData
0x475608 GetClientRect
0x47560c GetClassNameA
0x475610 GetClassInfoA
0x475614 GetCapture
0x475618 GetActiveWindow
0x47561c FrameRect
0x475620 FindWindowA
0x475624 FillRect
0x475628 EqualRect
0x47562c EnumWindows
0x475630 EnumThreadWindows
0x475634 EndPaint
0x475638 EnableWindow
0x47563c EnableScrollBar
0x475640 EnableMenuItem
0x475644 DrawTextA
0x475648 DrawMenuBar
0x47564c DrawIconEx
0x475650 DrawIcon
0x475654 DrawFrameControl
0x475658 DrawFocusRect
0x47565c DrawEdge
0x475660 DispatchMessageA
0x475664 DestroyWindow
0x475668 DestroyMenu
0x47566c DestroyIcon
0x475670 DestroyCursor
0x475674 DeleteMenu
0x475678 DefWindowProcA
0x47567c DefMDIChildProcA
0x475680 DefFrameProcA
0x475684 CreatePopupMenu
0x475688 CreateMenu
0x47568c CreateIcon
0x475690 ClientToScreen
0x475694 CheckMenuItem
0x475698 CallWindowProcA
0x47569c CallNextHookEx
0x4756a0 BeginPaint
0x4756a4 CharNextA
0x4756a8 CharLowerBuffA
0x4756ac CharLowerA
0x4756b0 CharToOemA
0x4756b4 AdjustWindowRectEx
Library kernel32.dll:
0x4756c0 Sleep
Library oleaut32.dll:
0x4756c8 SafeArrayPtrOfIndex
0x4756cc SafeArrayGetUBound
0x4756d0 SafeArrayGetLBound
0x4756d4 SafeArrayCreate
0x4756d8 VariantChangeType
0x4756dc VariantCopy
0x4756e0 VariantClear
0x4756e4 VariantInit
Library comctl32.dll:
0x4756f4 ImageList_Write
0x4756f8 ImageList_Read
0x475708 ImageList_DragMove
0x47570c ImageList_DragLeave
0x475710 ImageList_DragEnter
0x475714 ImageList_EndDrag
0x475718 ImageList_BeginDrag
0x47571c ImageList_Remove
0x475720 ImageList_DrawEx
0x475724 ImageList_Replace
0x475728 ImageList_Draw
0x475738 ImageList_Add
0x475740 ImageList_Destroy
0x475744 ImageList_Create
0x475748 InitCommonControls
Library comdlg32.dll:
0x475750 GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 50537 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702
192.168.56.101 62192 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.