10.0
0-day
61 个模型检测该样本为恶意!
重新分析
更多

052a7198fb77bc35af1b12cb629da41fd6d4be4f0c008c006f254f538301a3b5

b634d027e6238d564d19b768e92f2493.exe

分析耗时

130s

最近分析

文件大小

181.0KB
静态报毒 动态报毒 100% AGEN AGENERIC AI SCORE=84 AIDETECTVM BGDIS BRSECMON CONFIDENCE DESHACOP DHQT DRQCZI ELDORADO EMOTET FAAH GA31103F GENASA GENCIRC GENETIC HIGH CONFIDENCE KCLOUD KRYPTIK LQ0@AO@P4XOO MALICIOUS PE MALWARE1 MALWARE@#3LFV2P047QUR7 MLWGEN OBFUSCATED QVM07 R + MAL R150510 SCORE SMAY1CV7KEC STATIC AI SUSGEN TINBA TROJANPSW UNSAFE UVPM YWKYDX9IF4O ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Obfuscated-FAAH!B634D027E623 20201211 6.0.6.653
Alibaba Trojan:Win32/Kryptik.cb598120 20190527 0.3.0.5
Avast Win32:Trojan-gen 20201211 21.1.5827.0
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Undef.(kcloud) 20201212 2017.9.26.565
Tencent Malware.Win32.Gencirc.10b2e067 20201212 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (3 个事件)
resource name DIGESTIONS
resource name FLORINS
resource name GINGERS1
One or more processes crashed (3 个事件)
Time & API Arguments Status Return Repeated
1619861121.617988
__exception__
stacktrace: 
b634d027e6238d564d19b768e92f2493+0x13775 @ 0x413775
b634d027e6238d564d19b768e92f2493+0xeeef @ 0x40eeef
b634d027e6238d564d19b768e92f2493+0x1cf40 @ 0x41cf40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1635836
registers.edi: 0
registers.eax: 3271
registers.ebp: 1635892
registers.edx: 1637396
registers.ebx: 0
registers.esi: 8859146
registers.ecx: 116
exception.instruction_r: 88 19 88 5c 08 ff eb 0b 3b c3 76 07 c7 45 e4 bd
exception.symbol: PdhEnumObjectItemsA+0x30 PdhMakeCounterPathW-0x1b4 pdh+0x30ee5
exception.instruction: mov byte ptr [ecx], bl
exception.module: pdh.dll
exception.exception_code: 0xc0000005
exception.offset: 200421
exception.address: 0x75520ee5
success 0 0
1619861121.617988
__exception__
stacktrace: 
b634d027e6238d564d19b768e92f2493+0x13775 @ 0x413775
b634d027e6238d564d19b768e92f2493+0xeeef @ 0x40eeef
b634d027e6238d564d19b768e92f2493+0x1cf40 @ 0x41cf40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1635836
registers.edi: 0
registers.eax: 3265
registers.ebp: 1635892
registers.edx: 0
registers.ebx: 0
registers.esi: 4294967294
registers.ecx: 113
exception.instruction_r: 88 19 88 5c 08 ff eb 10 3b c3 76 0c 39 5d e4 75
exception.symbol: PdhEnumObjectItemsA+0x8a PdhMakeCounterPathW-0x15a pdh+0x30f3f
exception.instruction: mov byte ptr [ecx], bl
exception.module: pdh.dll
exception.exception_code: 0xc0000005
exception.offset: 200511
exception.address: 0x75520f3f
success 0 0
1619861121.617988
__exception__
stacktrace: 
VarBoolFromStr+0x144 SafeArrayAllocData-0x70 oleaut32+0x1dd15 @ 0x760add15
SafeArrayAllocData+0x18 SafeArrayAllocDescriptorEx-0x54 oleaut32+0x1dd9d @ 0x760add9d
b634d027e6238d564d19b768e92f2493+0x1383e @ 0x41383e
b634d027e6238d564d19b768e92f2493+0xeeef @ 0x40eeef
b634d027e6238d564d19b768e92f2493+0x1cf40 @ 0x41cf40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1635872
registers.edi: 1654784
registers.eax: 0
registers.ebp: 1635884
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 2179
exception.instruction_r: 8b 0f 8b d0 c1 ea 10 8b f0 66 85 d2 0f 85 89 9f
exception.symbol: VarBoolFromStr+0x16f SafeArrayAllocData-0x45 oleaut32+0x1dd40
exception.instruction: mov ecx, dword ptr [edi]
exception.module: OLEAUT32.dll
exception.exception_code: 0xc0000005
exception.offset: 122176
exception.address: 0x760add40
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header, POST method with no useragent header, HTTP version 1.0 used suspicious_request POST http://brureservtestot.cc/br01ot0a7a0to10u/
Performs some HTTP requests (1 个事件)
request POST http://brureservtestot.cc/br01ot0a7a0to10u/
Sends data using the HTTP POST Method (1 个事件)
request POST http://brureservtestot.cc/br01ot0a7a0to10u/
Resolves a suspicious Top Level Domain (TLD) (1 个事件)
domain brureservtestot.cc description Cocos Islands domain TLD
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619861121.633988
NtAllocateVirtualMemory
process_identifier: 648
region_size: 10485760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x020f0000
success 0 0
1619893166.575125
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002b0000
success 0 0
Foreign language identified in PE resource (2 个事件)
name GINGERS1 language LANG_PORTUGUESE offset 0x0002f2c8 filetype ASCII text, with no line terminators, with overstriking sublanguage SUBLANG_PORTUGUESE size 0x00000003
name RT_VERSION language LANG_SERBIAN offset 0x0002b8d0 filetype data sublanguage SUBLANG_DEFAULT size 0x00000424
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 6.992850220471686 section {'size_of_data': '0x00004000', 'virtual_address': '0x0001e000', 'entropy': 6.992850220471686, 'name': '.rdata', 'virtual_size': '0x00003ffc'} description A section with a high entropy has been found
entropy 7.1959692022835275 section {'size_of_data': '0x00006400', 'virtual_address': '0x00029000', 'entropy': 7.1959692022835275, 'name': '.rsrc', 'virtual_size': '0x000062d0'} description A section with a high entropy has been found
entropy 0.22777777777777777 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process inject-x86.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (41 个事件)
Time & API Arguments Status Return Repeated
1619861122.399988
NtProtectVirtualMemory
process_identifier: 2064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000058
base_address: 0x003b1000
success 0 0
1619893166.575125
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000088
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x06c30000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 276
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00210000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 372
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c00000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x0a210000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 432
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 476
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 508
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 536
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x009e0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 544
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 656
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 720
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000d0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 788
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001c0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 868
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00e50000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 924
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00e50000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 956
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00f70000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 540
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00d10000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1080
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x014f0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1260
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1288
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00180000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1336
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1384
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x06c40000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1592
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1980
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1240
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00370000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 2072
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 2380
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x04850000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 2460
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00bb0000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 2672
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 2744
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00b60000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 2784
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007a0000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 2884
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03e70000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 2940
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 2132
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000f0000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 1436
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 1176
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01b20000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 2244
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00dc0000
success 0 0
1619893167.653125
NtAllocateVirtualMemory
process_identifier: 648
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000d0000
success 0 0
1619893167.669125
NtAllocateVirtualMemory
process_identifier: 2064
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01cd0000
success 0 0
1619893169.684125
NtAllocateVirtualMemory
process_identifier: 2824
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000021c
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00320000
success 0 0
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (2 个事件)
Process injection Process 2064 created a remote thread in non-child process 648
Time & API Arguments Status Return Repeated
1619893167.669125
CreateRemoteThread
thread_identifier: 0
process_identifier: 648
function_address: 0x000d094c
flags: 0
process_handle: 0x000000c0
parameter: 0x00000000
stack_size: 0
failed 0 0
Manipulates memory of a non-child process indicative of process injection (50 out of 79 个事件)
Process injection Process 2064 manipulating memory of non-child process 1424
Process injection Process 2064 manipulating memory of non-child process 276
Process injection Process 2064 manipulating memory of non-child process 372
Process injection Process 2064 manipulating memory of non-child process 424
Process injection Process 2064 manipulating memory of non-child process 432
Process injection Process 2064 manipulating memory of non-child process 476
Process injection Process 2064 manipulating memory of non-child process 508
Process injection Process 2064 manipulating memory of non-child process 536
Process injection Process 2064 manipulating memory of non-child process 544
Process injection Process 2064 manipulating memory of non-child process 656
Process injection Process 2064 manipulating memory of non-child process 720
Process injection Process 2064 manipulating memory of non-child process 788
Process injection Process 2064 manipulating memory of non-child process 868
Process injection Process 2064 manipulating memory of non-child process 924
Process injection Process 2064 manipulating memory of non-child process 956
Process injection Process 2064 manipulating memory of non-child process 540
Process injection Process 2064 manipulating memory of non-child process 1080
Process injection Process 2064 manipulating memory of non-child process 1260
Process injection Process 2064 manipulating memory of non-child process 1288
Process injection Process 2064 manipulating memory of non-child process 1336
Process injection Process 2064 manipulating memory of non-child process 1384
Process injection Process 2064 manipulating memory of non-child process 1592
Process injection Process 2064 manipulating memory of non-child process 1980
Process injection Process 2064 manipulating memory of non-child process 1240
Process injection Process 2064 manipulating memory of non-child process 2072
Time & API Arguments Status Return Repeated
1619893166.575125
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000088
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x06c30000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 276
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00210000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 372
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c00000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x0a210000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 432
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 476
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 508
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 536
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x009e0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 544
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 656
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 720
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000d0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 788
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001c0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 868
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00e50000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 924
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00e50000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 956
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00f70000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 540
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00d10000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1080
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x014f0000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1260
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1288
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00180000
success 0 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1336
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1384
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x06c40000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1592
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1980
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1240
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00370000
success 0 0
Potential code injection by writing to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619861122.399988
WriteProcessMemory
process_identifier: 2064
buffer: 艉ÇW蟉ÃèReadProcessMemoryWÿӉÆè VirtualAllocWÿÓè[ë˜@j@h0ÿ³Õ@jÿЅÀt ‰ÇƒÕ@jÿ0WÿpÿpÿօÀtÇ4 WÃî\$d¡0‹@ ‹@‹‹H y 32uò‹@ÃU‰åW‹E‰ÂR<‹Rx‹r Æ1ÉAƒÆ‹>ǁocAduï‰Ær$·4N4°r_ÉÂ
process_handle: 0x00000058
base_address: 0x003b16c1
success 1 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 648 resumed a thread in remote process 2064
Time & API Arguments Status Return Repeated
1619861122.774988
NtResumeThread
thread_handle: 0x00000070
suspend_count: 1
process_identifier: 2064
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 84 个事件)
Time & API Arguments Status Return Repeated
1619861122.399988
CreateProcessInternalW
thread_identifier: 2060
thread_handle: 0x00000070
process_identifier: 2064
current_directory:
filepath:
track: 1
command_line: winver
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000058
inherit_handles: 0
success 1 0
1619861122.399988
NtGetContextThread
thread_handle: 0x00000070
success 0 0
1619861122.399988
WriteProcessMemory
process_identifier: 2064
buffer: 艉ÇW蟉ÃèReadProcessMemoryWÿӉÆè VirtualAllocWÿÓè[ë˜@j@h0ÿ³Õ@jÿЅÀt ‰ÇƒÕ@jÿ0WÿpÿpÿօÀtÇ4 WÃî\$d¡0‹@ ‹@‹‹H y 32uò‹@ÃU‰åW‹E‰ÂR<‹Rx‹r Æ1ÉAƒÆ‹>ǁocAduï‰Ær$·4N4°r_ÉÂ
process_handle: 0x00000058
base_address: 0x003b16c1
success 1 0
1619861122.774988
NtResumeThread
thread_handle: 0x00000070
suspend_count: 1
process_identifier: 2064
success 0 0
1619893166.575125
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000088
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x06c30000
success 0 0
1619893166.575125
WriteProcessMemory
process_identifier: 1424
buffer:
process_handle: 0x00000088
base_address: 0x06c30000
success 1 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 276
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00210000
success 0 0
1619893167.606125
WriteProcessMemory
process_identifier: 276
buffer:
process_handle: 0x000000c0
base_address: 0x00210000
success 1 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 372
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c00000
success 0 0
1619893167.606125
WriteProcessMemory
process_identifier: 372
buffer:
process_handle: 0x000000c0
base_address: 0x00c00000
success 1 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x0a210000
success 0 0
1619893167.606125
WriteProcessMemory
process_identifier: 424
buffer:
process_handle: 0x000000c0
base_address: 0x0a210000
success 1 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 432
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1619893167.606125
WriteProcessMemory
process_identifier: 432
buffer:
process_handle: 0x000000c0
base_address: 0x00110000
success 1 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 476
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1619893167.606125
WriteProcessMemory
process_identifier: 476
buffer:
process_handle: 0x000000c0
base_address: 0x00110000
success 1 0
1619893167.606125
NtAllocateVirtualMemory
process_identifier: 508
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
1619893167.606125
WriteProcessMemory
process_identifier: 508
buffer:
process_handle: 0x000000c0
base_address: 0x001d0000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 536
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x009e0000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 536
buffer:
process_handle: 0x000000c0
base_address: 0x009e0000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 544
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 544
buffer:
process_handle: 0x000000c0
base_address: 0x00190000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 656
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 656
buffer:
process_handle: 0x000000c0
base_address: 0x00400000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 720
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000d0000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 720
buffer:
process_handle: 0x000000c0
base_address: 0x000d0000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 788
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001c0000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 788
buffer:
process_handle: 0x000000c0
base_address: 0x001c0000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 868
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00e50000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 868
buffer:
process_handle: 0x000000c0
base_address: 0x00e50000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 924
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00e50000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 924
buffer:
process_handle: 0x000000c0
base_address: 0x00e50000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 956
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00f70000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 956
buffer:
process_handle: 0x000000c0
base_address: 0x00f70000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 540
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00d10000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 540
buffer:
process_handle: 0x000000c0
base_address: 0x00d10000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1080
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x014f0000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 1080
buffer:
process_handle: 0x000000c0
base_address: 0x014f0000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1260
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00190000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 1260
buffer:
process_handle: 0x000000c0
base_address: 0x00190000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1288
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00180000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 1288
buffer:
process_handle: 0x000000c0
base_address: 0x00180000
success 1 0
1619893167.622125
NtAllocateVirtualMemory
process_identifier: 1336
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
1619893167.622125
WriteProcessMemory
process_identifier: 1336
buffer:
process_handle: 0x000000c0
base_address: 0x00350000
success 1 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1384
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619893167.638125
WriteProcessMemory
process_identifier: 1384
buffer:
process_handle: 0x000000c0
base_address: 0x00130000
success 1 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x06c40000
success 0 0
1619893167.638125
WriteProcessMemory
process_identifier: 1424
buffer:
process_handle: 0x000000c0
base_address: 0x06c40000
success 1 0
1619893167.638125
NtAllocateVirtualMemory
process_identifier: 1592
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000c0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619893167.638125
WriteProcessMemory
process_identifier: 1592
buffer:
process_handle: 0x000000c0
base_address: 0x004b0000
success 1 0
File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Tinba.161
MicroWorld-eScan Trojan.Brsecmon.1
FireEye Generic.mg.b634d027e6238d56
McAfee Obfuscated-FAAH!B634D027E623
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.739209
Sangfor Malware
K7AntiVirus Trojan ( 0055dd191 )
Alibaba Trojan:Win32/Kryptik.cb598120
K7GW Trojan ( 0055dd191 )
Cybereason malicious.7e6238
Arcabit Trojan.Brsecmon.1
BitDefenderTheta Gen:NN.ZexaF.34688.lq0@aO@P4XoO
Cyren W32/S-40e551ad!Eldorado
Symantec Trojan.Tinba!gm
ESET-NOD32 a variant of Win32/Kryptik.DHQT
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Tinba-7166253-1
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Trojan.Brsecmon.1
NANO-Antivirus Trojan.Win32.MlwGen.drqczi
Avast Win32:Trojan-gen
Rising Trojan.Tinba!8.1B2 (TFE:5:SMaY1CV7keC)
Ad-Aware Trojan.Brsecmon.1
TACHYON Trojan/W32.Agent.185344.US
Sophos Mal/Generic-R + Mal/Tinba-I
Comodo Malware@#3lfv2p047qur7
F-Secure Heuristic.HEUR/AGEN.1124199
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_KRYPTIK_GA31103F.UVPM
McAfee-GW-Edition BehavesLike.Win32.Emotet.ch
Emsisoft Trojan.Brsecmon.1 (B)
Ikarus Trojan.Win32.Tinba
Jiangmin Trojan/Generic.bgdis
eGambit Unsafe.AI_Score_99%
Avira HEUR/AGEN.1124199
Antiy-AVL Trojan/Win32.AGeneric
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Tinba!rfn
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Trojan.Brsecmon.1
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Tinba.R150510
Acronis suspicious
VBA32 TrojanPSW.Tinba
ALYac Trojan.Brsecmon.1
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2004-07-29 22:04:49

Imports

Library pdh.dll:
0x41e310 PdhEnumObjectItemsA
Library LZ32.dll:
0x41e0ec LZOpenFileW
Library KERNEL32.dll:
0x41e0b4 GetConsoleTitleA
0x41e0bc GlobalWire
0x41e0c0 GetLastError
0x41e0c4 EnumDateFormatsW
0x41e0c8 GetVersion
0x41e0d0 GetSystemDirectoryW
0x41e0d4 EnumSystemLocalesW
0x41e0d8 CreateFileA
0x41e0dc GetModuleHandleA
0x41e0e0 GetModuleFileNameW
0x41e0e4 GetStartupInfoA
Library MSVCRT.dll:
0x41e0f4 _controlfp
0x41e0f8 _initterm
0x41e0fc _exit
0x41e100 _XcptFilter
0x41e104 exit
0x41e108 _acmdln
0x41e10c __getmainargs
0x41e110 __setusermatherr
0x41e114 _adjust_fdiv
0x41e118 __p__commode
0x41e11c __p__fmode
0x41e120 __set_app_type
0x41e124 _except_handler3
Library WINSPOOL.DRV:
0x41e2d8 WritePrinter
0x41e2dc AddMonitorA
0x41e2e0 AddPrinterW
0x41e2f0 DocumentPropertiesW
0x41e2f4 GetPrinterW
Library RESUTILS.dll:
0x41e140 ResUtilStopService
Library COMCTL32.dll:
0x41e044 CreateToolbarEx
0x41e048
Library USER32.dll:
0x41e1bc PaintDesktop
0x41e1c0 ReleaseDC
0x41e1c4 InvertRect
0x41e1c8 EnumDesktopsW
0x41e1d0 SetParent
0x41e1d4 AppendMenuW
0x41e1dc CharPrevA
0x41e1e4 CallMsgFilterW
0x41e1e8 CloseClipboard
0x41e1ec GetLastActivePopup
0x41e1f0 ModifyMenuW
0x41e1f4 GetDesktopWindow
0x41e1f8 RemoveMenu
0x41e1fc GetQueueStatus
0x41e200 IsCharUpperW
0x41e204 UnregisterClassW
0x41e208 GetWindowTextA
0x41e20c GetPropA
0x41e210 GetDialogBaseUnits
0x41e214 TileWindows
0x41e218 DdeGetData
0x41e21c WinHelpA
0x41e220 RemovePropA
0x41e224 SendIMEMessageExA
0x41e228 GetDoubleClickTime
0x41e234 DestroyIcon
0x41e238 IsWindowEnabled
0x41e240 LoadIconA
0x41e244 TrackPopupMenuEx
0x41e248 ExitWindowsEx
0x41e250 TranslateMessage
0x41e254 WaitForInputIdle
0x41e258 CreateDialogParamW
0x41e25c SetDlgItemTextW
0x41e260 GetWindow
0x41e268 GetKBCodePage
0x41e26c UnhookWinEvent
0x41e270 CreateMDIWindowW
0x41e278 GetSysColorBrush
0x41e27c SetMenuItemInfoA
0x41e284 PackDDElParam
0x41e288 OpenDesktopW
0x41e28c DdeInitializeA
0x41e290 CreateWindowExA
0x41e294 DefMDIChildProcA
0x41e298 SendMessageW
0x41e29c CreateDesktopA
0x41e2a0 LoadImageA
0x41e2a8 MapVirtualKeyW
0x41e2ac ToUnicodeEx
0x41e2b0 CreateWindowExW
0x41e2b4 LoadStringA
0x41e2b8 DdeQueryStringW
0x41e2bc ChangeMenuA
0x41e2c0 DlgDirSelectExA
0x41e2c4 OffsetRect
0x41e2c8 CharToOemA
0x41e2cc PostMessageA
Library SHELL32.dll:
0x41e150 SHQueryRecycleBinW
0x41e158 SHGetDiskFreeSpaceA
0x41e15c DragQueryFileA
Library SHLWAPI.dll:
0x41e164 PathAddExtensionA
0x41e16c StrCmpW
0x41e170 PathIsPrefixA
0x41e174 PathFindExtensionA
0x41e178 PathIsFileSpecW
0x41e17c PathRemoveArgsA
0x41e180 SHRegWriteUSValueW
0x41e184 PathFindFileNameW
0x41e190 SHRegGetUSValueA
0x41e194 PathAppendA
0x41e198 StrCSpnIA
0x41e19c PathFindOnPathA
0x41e1a4 SHDeleteValueA
0x41e1a8 PathCommonPrefixW
0x41e1ac SHDeleteEmptyKeyA
0x41e1b0 SHEnumValueA
Library ole32.dll:
0x41e2fc CoUnmarshalHresult
0x41e300 CoFreeLibrary
0x41e308 OleRegGetUserType
Library GDI32.dll:
0x41e050 CopyEnhMetaFileA
0x41e054 SetStretchBltMode
0x41e05c GetTextFaceA
0x41e060 GetNearestColor
0x41e064 GetGlyphOutlineA
0x41e068 SetViewportOrgEx
0x41e06c Polyline
0x41e070 GetTextCharsetInfo
0x41e074 SetBoundsRect
0x41e07c LPtoDP
0x41e084 GdiFlush
0x41e088 SetPolyFillMode
0x41e08c SetWorldTransform
0x41e090 GetGlyphOutlineW
0x41e094 GetCharWidth32W
0x41e0a0 SetPixelV
Library IMAGEHLP.dll:
0x41e0a8 FindExecutableImage
0x41e0ac ImageRvaToVa
Library ADVAPI32.dll:
0x41e000 GetUserNameA
0x41e00c RegFlushKey
0x41e010 QueryServiceStatus
0x41e014 FindFirstFreeAce
0x41e018 AddAuditAccessAce
0x41e024 CloseEventLog
0x41e028 RegCreateKeyW
0x41e02c EnumServicesStatusW
0x41e030 RegUnLoadKeyA
0x41e038 RegEnumValueA
Library OLEAUT32.dll:
0x41e12c SafeArrayAllocData
0x41e130 SafeArrayCreate
0x41e134 VarR4FromUI2
Library urlmon.dll:
0x41e338 HlinkGoBack

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49176 35.225.160.245 brureservtestot.cc 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49455 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58370 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://brureservtestot.cc/br01ot0a7a0to10u/ 
POST /br01ot0a7a0to10u/ HTTP/1.0
Host: brureservtestot.cc
Content-Length: 157

\xab\x1c\x1e\xff\xe5\x1c\x1e\xff\xea'\xd8\xc7\xad\x1d\x1f\xdc\xe9NK\xff\xab\x1c\x1e\xff

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.