11.0
0-day
58 个模型检测该样本为恶意!
重新分析
更多

205d1684668f7cdb88d3afa81e13e706565bf2f1e5ad4a13800caa2a39b82030

f1b9a9a8d0190657936178dc7c0d6769.exe

分析耗时

103s

最近分析

文件大小

931.0KB
静态报毒 动态报毒 100% 6GW@A0R5ZFMI AI SCORE=88 ALI2000015 APIW ATTRIBUTE CLOUD CONFIDENCE DELF DELFINJECT DELPHILESS DOWNLOADER34 EMTN FAREIT FORMBOOK HIGH CONFIDENCE HIGHCONFIDENCE HPCPCS IGENERIC KRYPTIK LCUO MODERATE NANOCORE QTFDU QUASAR QVM05 R002C0DGT20 SCORE SUSPICIOUS PE TROJAN3 TSCOPE UNSAFE X2091 ZELPHIF ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FPQ!F1B9A9A8D019 20200806 6.0.6.653
Alibaba Trojan:Win32/DelfInject.ali2000015 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20200806 18.4.3895.0
Kingsoft 20200806 2013.8.14.323
Tencent 20200806 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (12 个事件)
Time & API Arguments Status Return Repeated
1620010807.842626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75114b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75115d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5d148d
success 0 0
1620010816.655501
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdba148d
success 0 0
1620010821.421501
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff59148d
success 0 0
1620010825.9525
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd91148d
success 0 0
1620010831.967626
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff5e148d
success 0 0
1620010837.6715
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfd91148d
success 0 0
1620010843.53075
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x751c4b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x751c5d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff52148d
success 0 0
1620010849.0615
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb7148d
success 0 0
1620010853.5465
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdcf148d
success 0 0
1620010858.233875
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75124b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75125d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdbc148d
success 0 0
1620010862.483375
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xfdb7148d
success 0 0
1620010867.31125
__exception__
stacktrace: 
RtlFlsAlloc+0x421 EtwNotificationRegister-0x6ae ntdll+0x3ee84 @ 0x77d6ee84
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x77d6c389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x752ad4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
dndjsfmsdds+0xa23f8 @ 0x4a23f8
_CorValidateImage+0x83f _CorExeMain-0x2cc mscoree+0x4b0f @ 0x75174b0f
_CorExeMain+0xf62 CreateConfigStream-0x209a mscoree+0x5d3d @ 0x75175d3d
0x57005c

registers.esp: 1633872
registers.edi: 0
registers.eax: 0
registers.ebp: 1633912
registers.edx: 582600
registers.ebx: 0
registers.esi: 1634116
registers.ecx: 176
exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xff3c148d
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 376 个事件)
Time & API Arguments Status Return Repeated
1620010803.952375
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1620010804.014375
NtAllocateVirtualMemory
process_identifier: 580
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1620010804.014375
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1620010805.186
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01df0000
success 0 0
1620010805.264
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01e60000
success 0 0
1620010805.28
NtAllocateVirtualMemory
process_identifier: 1164
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f80000
success 0 0
1620010806.655626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620010806.671626
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02080000
success 0 0
1620010806.671626
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02170000
success 0 0
1620010806.671626
NtAllocateVirtualMemory
process_identifier: 3132
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ee0000
success 0 0
1620010806.671626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x01ee2000
success 0 0
1620010807.764626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.764626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77d4f000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02072000
success 0 0
1620010807.780626
NtProtectVirtualMemory
process_identifier: 3132
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620010806.999501
NtAllocateVirtualMemory
process_identifier: 3204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1620010807.124501
NtAllocateVirtualMemory
process_identifier: 3204
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f10000
success 0 0
1620010807.139501
NtAllocateVirtualMemory
process_identifier: 3204
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01f30000
success 0 0
1620010814.686626
NtAllocateVirtualMemory
process_identifier: 3332
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1620010815.014626
NtAllocateVirtualMemory
process_identifier: 3332
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1620010815.014626
NtAllocateVirtualMemory
process_identifier: 3332
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1620010816.311501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620010816.327501
NtAllocateVirtualMemory
process_identifier: 3408
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x01f40000
success 0 0
1620010816.327501
NtAllocateVirtualMemory
process_identifier: 3408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01fc0000
success 0 0
1620010816.327501
NtAllocateVirtualMemory
process_identifier: 3408
region_size: 630784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02000000
success 0 0
1620010816.342501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 602112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02002000
success 0 0
1620010816.561501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1620010816.561501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
1620010816.561501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1620010816.561501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76353000
success 0 0
1620010816.561501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1620010816.561501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76354000
success 0 0
1620010816.561501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00642000
success 0 0
1620010816.561501
NtProtectVirtualMemory
process_identifier: 3408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76351000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (40 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.608494248973546 section {'size_of_data': '0x00071a00', 'virtual_address': '0x0007d000', 'entropy': 7.608494248973546, 'name': '.rsrc', 'virtual_size': '0x0007192c'} description A section with a high entropy has been found
entropy 0.48870967741935484 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process dndjsfmsdds.exe
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (37 个事件)
Time & API Arguments Status Return Repeated
1620010804.014375
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000000f4
process_identifier: 2340
failed 0 0
1620010805.296
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3116
failed 0 0
1620010807.171501
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3268
failed 0 0
1620010813.983501
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x00000198
process_identifier: 3204
failed 0 0
1620010815.061626
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3392
failed 0 0
1620010816.717875
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000f4
process_identifier: 3552
failed 0 0
1620010819.342875
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x0000013c
process_identifier: 3476
failed 0 0
1620010819.967125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3644
failed 0 0
1620010821.936
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3812
failed 0 0
1620010823.561
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x00000128
process_identifier: 3716
failed 0 0
1620010824.296375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3888
failed 0 0
1620010826.827375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 4040
failed 0 0
1620010828.811375
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x00000118
process_identifier: 3956
failed 0 0
1620010830.264
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2988
failed 0 0
1620010832.186875
Process32NextW
process_name: is32bit.exe
snapshot_handle: 0x000000f4
process_identifier: 3312
failed 0 0
1620010835.921875
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x00000148
process_identifier: 3224
failed 0 0
1620010836.45275
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 376
failed 0 0
1620010839.046375
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x000000f4
process_identifier: 3672
failed 0 0
1620010841.858375
Process32NextW
process_name: dllhost.exe
snapshot_handle: 0x00000138
process_identifier: 3672
failed 0 0
1620010842.38925
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2944
failed 0 0
1620010844.74925
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3976
failed 0 0
1620010846.67125
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x0000011c
process_identifier: 3856
failed 0 0
1620010847.577
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x000000f4
process_identifier: 4024
failed 0 0
1620010849.139875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3064
failed 0 0
1620010851.780875
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x0000013c
process_identifier: 2168
failed 0 0
1620010852.311
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3136
failed 0 0
1620010853.905125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3240
failed 0 0
1620010856.046125
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x00000130
process_identifier: 3524
failed 0 0
1620010856.952125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2940
failed 0 0
1620010858.608375
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 2120
failed 0 0
1620010859.999375
Process32NextW
process_name: dndjsfmsdds.exe
snapshot_handle: 0x0000011c
process_identifier: 4008
failed 0 0
1620010861.186875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3364
failed 0 0
1620010863.171875
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3544
failed 0 0
1620010864.452875
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000110
process_identifier: 3516
failed 0 0
1620010865.936125
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 1948
failed 0 0
1620010868.67175
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000f4
process_identifier: 3180
failed 0 0
1620010870.88975
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x00000118
process_identifier: 3412
failed 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe:ZoneIdentifier
Allocates execute permission to another process indicative of possible code injection (1 个事件)
Time & API Arguments Status Return Repeated
1620010804.389375
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
Creates a thread using NtQueueApcThread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 580 created a thread in remote process 2228
Time & API Arguments Status Return Repeated
1620010804.389375
NtQueueApcThread
thread_handle: 0x00000104
process_identifier: 2228
function_address: 0x000b05c0
parameter: 0x000c0000
success 0 0
Potential code injection by writing to the memory of another process (2 个事件)
Time & API Arguments Status Return Repeated
1620010804.389375
WriteProcessMemory
process_identifier: 2228
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000b0000
success 1 0
1620010804.389375
WriteProcessMemory
process_identifier: 2228
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f1b9a9a8d0190657936178dc7c0d6769.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f1b9a9a8d0190657936178dc7c0d6769.exe" websEt bHTedHtXP = CreAtEOBject("WscRIPt.sHelL") BhteDHtxP.Run """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (24 个事件)
Process injection Process 1164 called NtSetContextThread to modify thread in remote process 3132
Process injection Process 3332 called NtSetContextThread to modify thread in remote process 3408
Process injection Process 3588 called NtSetContextThread to modify thread in remote process 3656
Process injection Process 3824 called NtSetContextThread to modify thread in remote process 3896
Process injection Process 4060 called NtSetContextThread to modify thread in remote process 2424
Process injection Process 3328 called NtSetContextThread to modify thread in remote process 3424
Process injection Process 3712 called NtSetContextThread to modify thread in remote process 3772
Process injection Process 4024 called NtSetContextThread to modify thread in remote process 4072
Process injection Process 2436 called NtSetContextThread to modify thread in remote process 3352
Process injection Process 3760 called NtSetContextThread to modify thread in remote process 3864
Process injection Process 3044 called NtSetContextThread to modify thread in remote process 3004
Process injection Process 3632 called NtSetContextThread to modify thread in remote process 3928
Time & API Arguments Status Return Repeated
1620010805.655
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3132
success 0 0
1620010815.655626
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3408
success 0 0
1620010820.374125
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3656
success 0 0
1620010824.639375
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3896
success 0 0
1620010830.624
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2424
success 0 0
1620010836.68675
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3424
success 0 0
1620010842.63925
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3772
success 0 0
1620010848.249
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 4072
success 0 0
1620010852.577
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3352
success 0 0
1620010857.233125
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3864
success 0 0
1620010861.624875
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3004
success 0 0
1620010866.452125
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3928
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (24 个事件)
Process injection Process 1164 resumed a thread in remote process 3132
Process injection Process 3332 resumed a thread in remote process 3408
Process injection Process 3588 resumed a thread in remote process 3656
Process injection Process 3824 resumed a thread in remote process 3896
Process injection Process 4060 resumed a thread in remote process 2424
Process injection Process 3328 resumed a thread in remote process 3424
Process injection Process 3712 resumed a thread in remote process 3772
Process injection Process 4024 resumed a thread in remote process 4072
Process injection Process 2436 resumed a thread in remote process 3352
Process injection Process 3760 resumed a thread in remote process 3864
Process injection Process 3044 resumed a thread in remote process 3004
Process injection Process 3632 resumed a thread in remote process 3928
Time & API Arguments Status Return Repeated
1620010806.389
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3132
success 0 0
1620010816.171626
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3408
success 0 0
1620010820.858125
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3656
success 0 0
1620010824.999375
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3896
success 0 0
1620010830.952
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2424
success 0 0
1620010837.18675
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3424
success 0 0
1620010842.98325
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3772
success 0 0
1620010848.749
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 4072
success 0 0
1620010853.202
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3352
success 0 0
1620010857.624125
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3864
success 0 0
1620010862.139875
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3004
success 0 0
1620010866.827125
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3928
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 102 个事件)
Time & API Arguments Status Return Repeated
1620010804.389375
CreateProcessInternalW
thread_identifier: 3040
thread_handle: 0x00000104
process_identifier: 2228
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\notepad.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620010804.389375
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620010804.389375
NtAllocateVirtualMemory
process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
process_handle: 0x000000fc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000c0000
success 0 0
1620010804.389375
WriteProcessMemory
process_identifier: 2228
buffer: Q¹0d‹‹@ ‹@ ‹‹‹@‰$‹$YÃVWR¾§ÆgNè„Yƒøv· ¿Zwf;Ït ¿Ntf;ÏuƒÂƒè…Àt‹ÎÁá‹þÁïϾ:Ï3ñBHué_‹Æ^ÃU‹ìQQ‹MSVW…Ét;¸MZf9u1‹A<Át*8PEu"‹@xƒeüÁ‹x‹X$‹p ‹@ùÙñ‰Eø…Àu 3À_^[ÉËM‹Eü‹†ÑèOÿÿÿ;E t ÿEü‹Eü;Eøràë׋Eü·C‹‡EëÊU‹ìQSW3ÿWWjWjh@ÿuÿV‹Øƒûÿu3Àë&WWWS‰}üÿV0W‹}EüPWÿu SÿV SÿV3À9}ü”À_[ÉÅÉtè•…Àt3Éf‰ÃU‹ììV‹ð…äüÿÿP3ÀPPjPÿVl…À…Žj\Xf‰Eü3Àj.f‰EþXjvf‰EðXf‰EòjbXf‰EôjsXf‰Eö3Àf‰EøUü…äüÿÿèÖ‹U è΍UðèÆÿu…ìþÿÿÿuPÿVxƒÄ …äüÿÿPÿV…ìþÿÿPèÂ@P…ìþÿÿP…äüÿÿPèîþÿÿƒÄ^ÉÃU‹ìì,j:XjZf‰EÜXjof‰EÞXjnf‰EàXjef‰EâXjIf‰EäXjdf‰EæXjef‰EèXjnf‰EêXjtf‰EìXjif‰EîXjff‰EðXjif‰EòXf‰EôjeXf‰EöjrXf‰Eø3Àf‰Eú…Ôýÿÿ謍UÜè÷EÿPÆEÿèPEÿP…ÔýÿÿPè?þÿÿƒÄÉÃU‹ìQƒeüV‹ðEüPÿuèþYY…Àtƒ}ütÿuüPÿu è þÿÿƒÄ …Àt3À@ë3À^ÉÃU‹ììSV‹ð‹Ï…øýÿÿè'‹Èè(þÿÿ3ÛS…øýÿÿPÿVWÿV8] uWÿu‹Æè~ÿÿÿYY‹Øë €} u5SWÿuÿWÿV(3ۃøÿ‹Ï•Ãèªþÿÿƒûu9]u WÿV(ƒÈPWÿV,3À@ë3À^[ÉÃU‹ìƒìSVWèsüÿÿ‹ø…ÿ„"h"¿ŠWèÌüÿÿ‹ØYY…Û„ jh0h„jÿӋð…ö„ñh¼Û«½W‰~`‰^@è•üÿÿhÒ¼‰W‰F$è‡üÿÿh|QgjW‰F(èyüÿÿhëI”W‰F,èküÿÿh•å©—W‰F0è]üÿÿh¥°(W‰F4èOüÿÿh)·W‰F8èAüÿÿh[uŠðW‰FDè3üÿÿƒÄ@‹Øhd†óuW‰^ è üÿÿh¢¦aëW‰F èüÿÿhÕOd"W‰Fèüÿÿhy.ÔW‰Fèöûÿÿh±÷W‰FèèûÿÿheóW÷W‰FèÚûÿÿh¯4P“W‰FèÌûÿÿh{=#W‰F<è¾ûÿÿƒÄ@hOû~ W‰Fè­ûÿÿhà=!6W‰FHèŸûÿÿhh‰#W‰è’ûÿÿ‰FLhÍeWè„ûÿÿhÓ1ÆVW‰FPèvûÿÿh7œ½W‰FTèhûÿÿh£-ãW‰FXèZûÿÿ‰F\ƒÄ8EðPÇEðshelÇEôl32ÿӋø…ÿt"hÀåz°W‰~dè,ûÿÿhêêºW‰FlèûÿÿƒÄ‰FpEøPÇEøuserfÇEü32ÆEþÿV ‹ø…ÿtAhqV°0W‰~hèìúÿÿhkV°0W‰FxèÞúÿÿh&cj—W‰FtèÐúÿÿh<cj—W‰F|èÂúÿÿƒÄ ‰†€‹Æë3À_^[ÉÃU‹ìƒì\V‹uW3ÿ;÷„îSè¤ýÿÿ‹Ø;ßu WÿDéՍ†‰EüPëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPF‰Eø‰E9>tYÿ¶¶ŽQP¾ ‹Ãè¾üÿÿ‰}3ÿƒÄ 9>t1jDE¤WPèjEèWPèüƒÄEèPE¤PWWj WWWWÿuÿS$9¾(t†lP†,Pÿu‹Ãè½úÿÿƒÄ 9¾tëj2ÿSPÿuüWWÿSL…ÀuïjdÿSPÿuøÿSWÿSD[_3À^ÉÂU‹ìƒì SW3ÿWWjWjh€ÿu‰}øÿV‹Øƒûÿu3Àë>WSÿV‰Eô;Çt+jh0PWÿV@‰Eø;ÇtWMüQÿuô‰}üPSÿV‹Eü‹M ‰SÿV‹Eø_[É÷f‰f…ÒtV‹ð+ñƒÁ·f‰f…Òuñ^ÃU‹ìQQ‹E‰Eü‹EüE‰Eø‹Eü;Eøt‹EüŠM ˆ‹Eü@‰Eüëç‹EÉÃfƒ8V‹ðt ƒÆfƒ>u÷+ò· f‰ ƒÂf…Éuñ^ËD$Š@„Éuù+D$HÅÉu3ÀÃfƒ9‹Át ƒÀfƒ8u÷+ÁÑøÅÉt èÚÿÿÿ…ÀtDAþë fƒù\t ƒè·f…Éuï3ÀÃ
process_handle: 0x000000fc
base_address: 0x000b0000
success 1 0
1620010804.389375
WriteProcessMemory
process_identifier: 2228
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f1b9a9a8d0190657936178dc7c0d6769.exeC:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe"C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f1b9a9a8d0190657936178dc7c0d6769.exe" websEt bHTedHtXP = CreAtEOBject("WscRIPt.sHelL") BhteDHtxP.Run """%ls""", 0, False
process_handle: 0x000000fc
base_address: 0x000c0000
success 1 0
1620010804.967375
CreateProcessInternalW
thread_identifier: 2364
thread_handle: 0x000000d0
process_identifier: 1164
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000000cc
inherit_handles: 0
success 1 0
1620010805.561
CreateProcessInternalW
thread_identifier: 3136
thread_handle: 0x00000104
process_identifier: 3132
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620010805.561
NtUnmapViewOfSection
process_identifier: 3132
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620010805.577
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3132
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1620010805.655
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1620010805.655
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3132
success 0 0
1620010806.389
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3132
success 0 0
1620010806.624
CreateProcessInternalW
thread_identifier: 3208
thread_handle: 0x00000108
process_identifier: 3204
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe" 2 3132 3690218
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1620010814.186501
CreateProcessInternalW
thread_identifier: 3336
thread_handle: 0x0000019c
process_identifier: 3332
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x000001a0
inherit_handles: 0
success 1 0
1620010815.546626
CreateProcessInternalW
thread_identifier: 3412
thread_handle: 0x00000104
process_identifier: 3408
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620010815.546626
NtUnmapViewOfSection
process_identifier: 3408
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620010815.577626
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3408
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1620010815.639626
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1620010815.655626
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3408
success 0 0
1620010816.171626
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3408
success 0 0
1620010816.233626
CreateProcessInternalW
thread_identifier: 3480
thread_handle: 0x00000108
process_identifier: 3476
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe" 2 3408 3700000
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1620010819.530875
CreateProcessInternalW
thread_identifier: 3592
thread_handle: 0x00000140
process_identifier: 3588
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000144
inherit_handles: 0
success 1 0
1620010820.233125
CreateProcessInternalW
thread_identifier: 3660
thread_handle: 0x00000104
process_identifier: 3656
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620010820.233125
NtUnmapViewOfSection
process_identifier: 3656
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620010820.249125
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3656
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1620010820.358125
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1620010820.374125
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3656
success 0 0
1620010820.858125
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3656
success 0 0
1620010821.561125
CreateProcessInternalW
thread_identifier: 3720
thread_handle: 0x00000108
process_identifier: 3716
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe" 2 3656 3704687
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1620010823.764
CreateProcessInternalW
thread_identifier: 3828
thread_handle: 0x0000012c
process_identifier: 3824
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000130
inherit_handles: 0
success 1 0
1620010824.546375
CreateProcessInternalW
thread_identifier: 3900
thread_handle: 0x00000104
process_identifier: 3896
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620010824.546375
NtUnmapViewOfSection
process_identifier: 3896
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620010824.546375
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3896
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1620010824.639375
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1620010824.639375
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 3896
success 0 0
1620010824.999375
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 3896
success 0 0
1620010825.921375
CreateProcessInternalW
thread_identifier: 3960
thread_handle: 0x00000108
process_identifier: 3956
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe" 2 3896 3708828
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1620010829.092375
CreateProcessInternalW
thread_identifier: 4064
thread_handle: 0x0000011c
process_identifier: 4060
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000120
inherit_handles: 0
success 1 0
1620010830.499
CreateProcessInternalW
thread_identifier: 2900
thread_handle: 0x00000104
process_identifier: 2424
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620010830.499
NtUnmapViewOfSection
process_identifier: 2424
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620010830.53
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 2424
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1620010830.608
NtGetContextThread
thread_handle: 0x00000104
success 0 0
1620010830.624
NtSetContextThread
thread_handle: 0x00000104
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5503440
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2424
success 0 0
1620010830.952
NtResumeThread
thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2424
success 0 0
1620010831.671
CreateProcessInternalW
thread_identifier: 3244
thread_handle: 0x00000108
process_identifier: 3224
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe" 2 2424 3714781
filepath_r:
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1620010836.124875
CreateProcessInternalW
thread_identifier: 3240
thread_handle: 0x0000014c
process_identifier: 3328
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe
stack_pivoted: 0
creation_flags: 32 (NORMAL_PRIORITY_CLASS)
process_handle: 0x00000150
inherit_handles: 0
success 1 0
1620010836.59275
CreateProcessInternalW
thread_identifier: 300
thread_handle: 0x00000104
process_identifier: 3424
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Roaming\appdata\dndjsfmsdds.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000fc
inherit_handles: 0
success 1 0
1620010836.59275
NtUnmapViewOfSection
process_identifier: 3424
region_size: 4096
process_handle: 0x000000fc
base_address: 0x00400000
success 0 0
1620010836.60875
NtMapViewOfSection
section_handle: 0x0000010c
process_identifier: 3424
commit_size: 1314816
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x000000fc
allocation_type: 0 ()
section_offset: 0
view_size: 1314816
base_address: 0x00400000
success 0 0
1620010836.67175
NtGetContextThread
thread_handle: 0x00000104
success 0 0
File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 个事件)
MicroWorld-eScan Gen:Variant.Zusy.310100
FireEye Generic.mg.f1b9a9a8d0190657
CAT-QuickHeal Trojan.IGENERIC
McAfee Fareit-FPQ!F1B9A9A8D019
Cylance Unsafe
Zillya Trojan.Injector.Win32.754948
Sangfor Malware
K7AntiVirus Trojan ( 0056b5241 )
Alibaba Trojan:Win32/DelfInject.ali2000015
K7GW Trojan ( 0056b5241 )
Cybereason malicious.d87ccb
Invincea heuristic
F-Prot W32/Trojan3.APIW
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:Trojan-gen
ClamAV Win.Dropper.Nanocore-9142740-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Gen:Variant.Zusy.310100
NANO-Antivirus Trojan.Win32.Kryptik.hpcpcs
ViRobot Trojan.Win32.Z.Zusy.953344.A
Rising Trojan.Injector!1.C99D (CLOUD)
Endgame malicious (high confidence)
Sophos Mal/Generic-S
F-Secure Trojan.TR/Injector.qtfdu
DrWeb Trojan.DownLoader34.9756
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0DGT20
Trapmine malicious.moderate.ml.score
Emsisoft Gen:Variant.Zusy.310100 (B)
Paloalto generic.ml
Cyren W32/Trojan.LCUO-5348
Jiangmin Trojan.Kryptik.byk
Avira TR/Injector.qtfdu
MAX malware (ai score=88)
Antiy-AVL Trojan/Win32.Kryptik
Microsoft Trojan:Win32/FormBook!rfn
Arcabit Trojan.Zusy.D4BB54
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Gen:Variant.Zusy.310100
Cynet Malicious (score: 85)
AhnLab-V3 Suspicious/Win.Delphiless.X2091
Acronis suspicious
VBA32 TScope.Trojan.Delf
Ad-Aware Gen:Variant.Zusy.310100
Malwarebytes Backdoor.Quasar
Zoner Trojan.Win32.91603
ESET-NOD32 a variant of Win32/Injector.EMTN
TrendMicro-HouseCall TROJ_GEN.R002C0DGT20
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x47113c VirtualFree
0x471140 VirtualAlloc
0x471144 LocalFree
0x471148 LocalAlloc
0x47114c GetVersion
0x471150 GetCurrentThreadId
0x47115c VirtualQuery
0x471160 WideCharToMultiByte
0x471164 MultiByteToWideChar
0x471168 lstrlenA
0x47116c lstrcpynA
0x471170 LoadLibraryExA
0x471174 GetThreadLocale
0x471178 GetStartupInfoA
0x47117c GetProcAddress
0x471180 GetModuleHandleA
0x471184 GetModuleFileNameA
0x471188 GetLocaleInfoA
0x47118c GetCommandLineA
0x471190 FreeLibrary
0x471194 FindFirstFileA
0x471198 FindClose
0x47119c ExitProcess
0x4711a0 WriteFile
0x4711a8 RtlUnwind
0x4711ac RaiseException
0x4711b0 GetStdHandle
Library user32.dll:
0x4711b8 GetKeyboardType
0x4711bc LoadStringA
0x4711c0 MessageBoxA
0x4711c4 CharNextA
Library advapi32.dll:
0x4711cc RegQueryValueExA
0x4711d0 RegOpenKeyExA
0x4711d4 RegCloseKey
Library oleaut32.dll:
0x4711dc SysFreeString
0x4711e0 SysReAllocStringLen
0x4711e4 SysAllocStringLen
Library kernel32.dll:
0x4711ec TlsSetValue
0x4711f0 TlsGetValue
0x4711f4 LocalAlloc
0x4711f8 GetModuleHandleA
Library advapi32.dll:
0x471200 RegQueryValueExA
0x471204 RegOpenKeyExA
0x471208 RegCloseKey
Library kernel32.dll:
0x471210 lstrcpyA
0x471214 WriteFile
0x471218 WaitForSingleObject
0x47121c VirtualQuery
0x471220 VirtualAlloc
0x471224 Sleep
0x471228 SizeofResource
0x47122c SetThreadLocale
0x471230 SetFilePointer
0x471234 SetEvent
0x471238 SetErrorMode
0x47123c SetEndOfFile
0x471240 ResetEvent
0x471244 ReadFile
0x471248 MulDiv
0x47124c LockResource
0x471250 LoadResource
0x471254 LoadLibraryA
0x471260 GlobalUnlock
0x471264 GlobalReAlloc
0x471268 GlobalHandle
0x47126c GlobalLock
0x471270 GlobalFree
0x471274 GlobalFindAtomA
0x471278 GlobalDeleteAtom
0x47127c GlobalAlloc
0x471280 GlobalAddAtomA
0x471284 GetVersionExA
0x471288 GetVersion
0x47128c GetTickCount
0x471290 GetThreadLocale
0x471294 GetSystemInfo
0x471298 GetStringTypeExA
0x47129c GetStdHandle
0x4712a0 GetProcAddress
0x4712a4 GetModuleHandleA
0x4712a8 GetModuleFileNameA
0x4712ac GetLocaleInfoA
0x4712b0 GetLocalTime
0x4712b4 GetLastError
0x4712b8 GetFullPathNameA
0x4712bc GetDiskFreeSpaceA
0x4712c0 GetDateFormatA
0x4712c4 GetCurrentThreadId
0x4712c8 GetCurrentProcessId
0x4712cc GetCPInfo
0x4712d0 GetACP
0x4712d4 FreeResource
0x4712d8 InterlockedExchange
0x4712dc FreeLibrary
0x4712e0 FormatMessageA
0x4712e4 FindResourceA
0x4712e8 EnumCalendarInfoA
0x4712f4 CreateThread
0x4712f8 CreateFileA
0x4712fc CreateEventA
0x471300 CompareStringA
0x471304 CloseHandle
Library version.dll:
0x47130c VerQueryValueA
0x471314 GetFileVersionInfoA
Library gdi32.dll:
0x47131c UnrealizeObject
0x471320 StretchBlt
0x471324 SetWindowOrgEx
0x471328 SetViewportOrgEx
0x47132c SetTextColor
0x471330 SetStretchBltMode
0x471334 SetROP2
0x471338 SetPixel
0x47133c SetDIBColorTable
0x471340 SetBrushOrgEx
0x471344 SetBkMode
0x471348 SetBkColor
0x47134c SelectPalette
0x471350 SelectObject
0x471354 SelectClipRgn
0x471358 SaveDC
0x47135c RestoreDC
0x471360 Rectangle
0x471364 RectVisible
0x471368 RealizePalette
0x47136c PatBlt
0x471370 MoveToEx
0x471374 MaskBlt
0x471378 LineTo
0x47137c IntersectClipRect
0x471380 GetWindowOrgEx
0x471384 GetTextMetricsA
0x471390 GetStockObject
0x471394 GetPixel
0x471398 GetPaletteEntries
0x47139c GetObjectA
0x4713a0 GetDeviceCaps
0x4713a4 GetDIBits
0x4713a8 GetDIBColorTable
0x4713ac GetDCOrgEx
0x4713b4 GetClipRgn
0x4713b8 GetClipBox
0x4713bc GetBrushOrgEx
0x4713c0 GetBitmapBits
0x4713c4 ExcludeClipRect
0x4713c8 DeleteObject
0x4713cc DeleteDC
0x4713d0 CreateSolidBrush
0x4713d4 CreateRectRgn
0x4713d8 CreatePenIndirect
0x4713dc CreatePen
0x4713e0 CreatePalette
0x4713e8 CreateFontIndirectA
0x4713ec CreateDIBitmap
0x4713f0 CreateDIBSection
0x4713f4 CreateCompatibleDC
0x4713fc CreateBrushIndirect
0x471400 CreateBitmap
0x471404 BitBlt
Library user32.dll:
0x47140c CreateWindowExA
0x471410 WindowFromPoint
0x471414 WinHelpA
0x471418 WaitMessage
0x47141c ValidateRect
0x471420 UpdateWindow
0x471424 UnregisterClassA
0x471428 UnhookWindowsHookEx
0x47142c TranslateMessage
0x471434 TrackPopupMenu
0x47143c ShowWindow
0x471440 ShowScrollBar
0x471444 ShowOwnedPopups
0x471448 ShowCursor
0x47144c SetWindowsHookExA
0x471450 SetWindowPos
0x471454 SetWindowPlacement
0x471458 SetWindowLongA
0x47145c SetTimer
0x471460 SetScrollRange
0x471464 SetScrollPos
0x471468 SetScrollInfo
0x47146c SetRect
0x471470 SetPropA
0x471474 SetParent
0x471478 SetMenuItemInfoA
0x47147c SetMenu
0x471480 SetForegroundWindow
0x471484 SetFocus
0x471488 SetCursor
0x47148c SetClassLongA
0x471490 SetCapture
0x471494 SetActiveWindow
0x471498 SendMessageA
0x47149c ScrollWindow
0x4714a0 ScreenToClient
0x4714a4 RemovePropA
0x4714a8 RemoveMenu
0x4714ac ReleaseDC
0x4714b0 ReleaseCapture
0x4714bc RegisterClassA
0x4714c0 RedrawWindow
0x4714c4 PtInRect
0x4714c8 PostQuitMessage
0x4714cc PostMessageA
0x4714d0 PeekMessageA
0x4714d4 OffsetRect
0x4714d8 OemToCharA
0x4714dc MessageBoxA
0x4714e0 MapWindowPoints
0x4714e4 MapVirtualKeyA
0x4714e8 LoadStringA
0x4714ec LoadKeyboardLayoutA
0x4714f0 LoadIconA
0x4714f4 LoadCursorA
0x4714f8 LoadBitmapA
0x4714fc KillTimer
0x471500 IsZoomed
0x471504 IsWindowVisible
0x471508 IsWindowEnabled
0x47150c IsWindow
0x471510 IsRectEmpty
0x471514 IsIconic
0x471518 IsDialogMessageA
0x47151c IsChild
0x471520 InvalidateRect
0x471524 IntersectRect
0x471528 InsertMenuItemA
0x47152c InsertMenuA
0x471530 InflateRect
0x471538 GetWindowTextA
0x47153c GetWindowRect
0x471540 GetWindowPlacement
0x471544 GetWindowLongA
0x471548 GetWindowDC
0x47154c GetTopWindow
0x471550 GetSystemMetrics
0x471554 GetSystemMenu
0x471558 GetSysColorBrush
0x47155c GetSysColor
0x471560 GetSubMenu
0x471564 GetScrollRange
0x471568 GetScrollPos
0x47156c GetScrollInfo
0x471570 GetPropA
0x471574 GetParent
0x471578 GetWindow
0x47157c GetMenuStringA
0x471580 GetMenuState
0x471584 GetMenuItemInfoA
0x471588 GetMenuItemID
0x47158c GetMenuItemCount
0x471590 GetMenu
0x471594 GetLastActivePopup
0x471598 GetKeyboardState
0x4715a0 GetKeyboardLayout
0x4715a4 GetKeyState
0x4715a8 GetKeyNameTextA
0x4715ac GetIconInfo
0x4715b0 GetForegroundWindow
0x4715b4 GetFocus
0x4715b8 GetDlgItem
0x4715bc GetDesktopWindow
0x4715c0 GetDCEx
0x4715c4 GetDC
0x4715c8 GetCursorPos
0x4715cc GetCursor
0x4715d0 GetClientRect
0x4715d4 GetClassNameA
0x4715d8 GetClassInfoA
0x4715dc GetCapture
0x4715e0 GetActiveWindow
0x4715e4 FrameRect
0x4715e8 FindWindowA
0x4715ec FillRect
0x4715f0 EqualRect
0x4715f4 EnumWindows
0x4715f8 EnumThreadWindows
0x4715fc EndPaint
0x471600 EndDeferWindowPos
0x471604 EnableWindow
0x471608 EnableScrollBar
0x47160c EnableMenuItem
0x471610 DrawTextA
0x471614 DrawMenuBar
0x471618 DrawIconEx
0x47161c DrawIcon
0x471620 DrawFrameControl
0x471624 DrawFocusRect
0x471628 DrawEdge
0x47162c DispatchMessageA
0x471630 DestroyWindow
0x471634 DestroyMenu
0x471638 DestroyIcon
0x47163c DestroyCursor
0x471640 DeleteMenu
0x471644 DeferWindowPos
0x471648 DefWindowProcA
0x47164c DefMDIChildProcA
0x471650 DefFrameProcA
0x471654 CreatePopupMenu
0x471658 CreateMenu
0x47165c CreateIcon
0x471660 ClientToScreen
0x471664 CheckMenuItem
0x471668 CallWindowProcA
0x47166c CallNextHookEx
0x471670 BeginPaint
0x471674 BeginDeferWindowPos
0x471678 CharNextA
0x47167c CharLowerA
0x471680 CharToOemA
0x471684 AdjustWindowRectEx
Library kernel32.dll:
0x471690 Sleep
Library oleaut32.dll:
0x471698 SafeArrayPtrOfIndex
0x47169c SafeArrayGetUBound
0x4716a0 SafeArrayGetLBound
0x4716a4 SafeArrayCreate
0x4716a8 VariantChangeType
0x4716ac VariantCopy
0x4716b0 VariantClear
0x4716b4 VariantInit
Library comctl32.dll:
0x4716c4 ImageList_Write
0x4716c8 ImageList_Read
0x4716d8 ImageList_DragMove
0x4716dc ImageList_DragLeave
0x4716e0 ImageList_DragEnter
0x4716e4 ImageList_EndDrag
0x4716e8 ImageList_BeginDrag
0x4716ec ImageList_Remove
0x4716f0 ImageList_DrawEx
0x4716f4 ImageList_Draw
0x471704 ImageList_Add
0x47170c ImageList_Destroy
0x471710 ImageList_Create
0x471714 InitCommonControls
Library comdlg32.dll:
0x47171c GetOpenFileNameA

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58368 239.255.255.250 3702
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.