360骚操作让人看不懂,下载包一下下来就杀了,隔离区恢复后未加白,解包后再用360扫反而不杀了。双击后hmpa拦截
Mitigation HeapHeapProtect
Timestamp 2024-03-19T04:17:26
Platform 10.0.19045/x64 v979 06_4e%
PID 7436
WoW x86
Feature 00FD2F70000001A2
Application D:\2024年度个人所得税综合所得汇算清缴事项调整新政策\2024年度个人所得税综合所得汇算清缴事项调整新政策.exe
Created 2024-03-19T04:17:18
Description 2024年度个人所得税综合所得汇算清缴事项调整新政策.exe
Callee Type ProtectVirtualMemory
0x10001000 (65024 bytes)
Shellcode (HHP) (0x0000FE00 bytes : start at 10001000)
Target address info: (anonymous)
Owner of CALLER: (anonymous; allocated by 0041F8C5, 2024年度个人所得税综合所得汇算清缴事项调整新政策.exe)
OwnerModule
Name 2024年度个人所得税综合所得汇算清缴事项调整新政策.exe
Path D:\2024年度个人所得税综合所得汇算清缴事项调整新政策\2024年度个人所得税综合所得汇算清缴事项调整新政策.exe
Thumbprint 8bd6f948a3254ef4fca30011a4e2ba17d012118b594ffab6987116ff2c877a13
SHA-256 b5ade80f6442a76aea2b86c051f90794438d9e7b4bdaef8952698549bd0ad389
SHA-1 ef41ebb02e2ac9f9bd36bff36fcb30ba78749dbf
MD5 370702acfea24f4163ae46a573787e0d
Current process is not signed
OwnerModule is not signed
005F0387 ff55fc CALL DWORD [EBP-0x4]
005F038A 8b45f8 MOV EAX, [EBP-0x8]
005F038D 43 INC EBX
005F038E 83c628 ADD ESI, 0x28
005F0391 8b38 MOV EDI, [EAX]
005F0393 0fb74706 MOVZX EAX, WORD [EDI+0x6]
005F0397 3bd8 CMP EBX, EAX
005F0399 8b45f4 MOV EAX, [EBP-0xc]
005F039C 0f8c40ffffff JL 0x5f02e2
005F03A2 5f POP EDI
005F03A3 5e POP ESI
005F03A4 5b POP EBX
005F03A5 c9 LEAVE
005F03A6 c3 RET
005F03A7 55 PUSH EBP
005F03A8 8bec MOV EBP, ESP
----- SNIP HERE -----
AAMSAQAAXwCHA18AAABfAAAQAABVi+yLTQhd6RIEAFWL7FGL0cdF/HJ1bgCNTfzoDgESAgDJw2ShMBIDAMOKETPAhNJ0GVbByA0PvvKA+mF8A4PG4APGQYoRhNJ16V7DjUH4w1WL7IPsFFNWV4lN9OjCEgP/i0AMi0AUi/iJReyLz+jZEgP/iz+LcBiF9nRPi0Y8i1wweIXbdESLTDMMA87omBID/4tMMyCJRfgDzjPAiU3wiUX8OUQzGHYiiwyBA87odxID/wNF+DlF9HQci0X8i03wQIlF/DtEMxhy3jt97HWcM8BfXlvJw4tN/ItEMySNBEgPtwwwi0QzHI0EiIsEMAPG699Wi/G5jRC3+OhQEgP/Vv/QXsNWV4v5i/K5kbj2iOg7EgP/Vlf/0F9ewzPAhdJ+CYA0CDpAO8J89zPAQMNVi+yD7BBTVolN9LkyPfnJV4v66AkSA/+5M4hanovY6P3+EgL/uacLWQiL8Ojx/hIC/4Nl/ABqBIlF8I1F+FdQ/9OLRfiDwAQDx2oEUI1F/FD/04PEGIN9/AB0T2oEaAAwEgIA/3X8agD/1ovwhfZ0O4tN+P91/IPBCAPPUVb/04tV/IPEDIvO6GMSA//orgMSAgCFwHQWi1X0i8joHAUSAgCFwHQIV//QahIC/1XwX15bycNVi+yD7BhTi10IVolN7LkyPfnJV4tzBIlV9Il1+OhR/hIC/7ktQaHJiUUSAuhE/hIC/7kziFqeiUXw6Df+EgL/iwuL0DPAiVX8M9sPt3kUg8coZjtBBnNrA/mDPwB1J4tF9ItwOIX2fkaLR/wDRfhqBGgAEBICAFZQ/9JWagBQiUf4/1Xw6yOLR/xqBGgAEBICAP83A8ZQ/9L/N4tPBIvwA03sUVb/VeiJd/iLVfyDxAyLRQhDi3X4g8coiwAPt0AGO9h8l19eW8nDVYvsg+wwU4vZufqBL4ZWV4ld+OiX/RIC/7mS8a5PiUX86Ir9EgL/izszyTPbiUX0D7d3FIPGKGY7TwYPg8ISAwAD94tWFPfCEgMAAnQRaABAEgIA/zb/dvj/0OmMEgMAi8rHRdABEgMAwekdi8LB6B6D4QGD4AHHRdQIEgMAx0XYAhIDAMdF3AQSAwDHReAQEgMAjQxIx0XkgBIDAIvCx0XoIBIDAMHoH8dF7EASAwCNBEiLTIXQ98ISAwAEdAaByQACEgIAiwaFwHUV9sJAdAWLRyDrB4TSeROLRySFwHQMjVXwUlFQ/3b4/1X8i0X4Q4PGKIs4D7dHBjvYi0X0D4xAEgP/X15bycNVi+yD7BCLwYlV/IsIg7mkEgQAdnGLiaASAwBTi1gEA8uJXfCLAYXAdFtWV4tRBI1xCAPDM/+JRfSNQvip/hID/3Y4i138D7cWi8LHRfgAMBICACUA8BICAGY7Rfh1C4Hi/w8SAgADVfQBGotRBEeDxgKNQvjR6Dv4cs6LXfADyosBhcB1qV9eW8nDVYvsg+woU4vZx0XYbXN2Y1Yz9old7FeLQwSNTdhGiUX8x0XccnQuZGbHReASAmzGReIAx0XkcmVhbMdF6GxvYwDofvwSAv+NVeSLyOiG/BIC/7khB6x7iUX46MT7EgL/izuJRfCDv4QSBAAPhscSAwCLv4ASAwADffxqFFf/0IXAD4WxEgMAg8cQi0f8M/ZGhcAPhKASAwCLTfwDyOgk/BIC/4vwiXX0hfYPhIcSAwCLQwyNBIUEEgMAUP9zCP9V+BICWYvIiUsIhcl0a4tDDIk0gf9DDItH8IXAdQKLB4tN/DP2Ro0cCIsDhcB0Mos3A/G{过}F{滤}WHkFD7fQ6wWNUQID0ItN9OjS+xIC/4kGhcB0KotN/IPDBIPGBIsDhcB11zP2RoPHFGoUjUfwUP9V8IXAdQqLXezpVBID/zP2X4vGXlvJw1WL7IPsNFNWi/G5M4hanleJdfzozPoSAv+L+LmVqHf0iX346L36EgL/uTI9+cmJRfDosPoSAv+NTcyJRejHRcxrZXJux0XQZWwzMsdF1C5kEgJsxkXYAMdF3EhlYXDHReBBEgJsb2bHReRjAOgb+xIC/41V3IvI6CP7EgL/iUXsuE1aEgIAZjkGD4XuEgMAi148A96BO1BFEgIAD4XdEgMAagRoACASAgD/c1D/czT/14vwiXX0hfZ1GmoEaAAgEgIA/3MSAlD/14vwiUX0hfYPhKsSAwBqFGoA/1XwUP9V7Iv4M8BqBGgAEBICAIl3BIlHDIlHCIlHEP9zUFb/VfhqBGgAEBICAP9zVFb/VfiLS1SL8ItF/ANIPFFQVv9V6ItN/IvTV4tBPAPGi3X0iQeJcDToR/sSAv+L1oPEECtTNHQHi8/oAP0SAv+Lz+iC/RIC/4XAdCiLzxIC6PsSAv+LB4tAKIXAdBQDxnQUagAz20NTVv/QhcB0B4lfEIvH6wmLz+iWEgMAM8BfXlvJw1WL7IPsEFNWi/GJVfRXuQwZLkPoUPkSAv+LfgQz24s2iUXwOV58dEmLdngD94tWGIXSdD05XhR0OItOIItGJAPPA8eJTfiJRfyF0nQkiwEDx1D/dfT/VfASAlmFwHQai034Q4NF/AKDwQSJTfg7Xhhy3DPAX15bycOLRfwPtwg7ThR37otGHI0EiIsEOAPH6+NVi+yD7BBTVovxuYaT8lpX6MT4EgL/uf3nbH2JRfzot/gSAv+L+LmVqHf0iX306Kj4EgL/uZLxrk+JRfDom/gSAv+L2Ild+IX2dGyDfhAAdBWLBmoAagD/dgSLQCgDRgT/0INmEACDfggAdDAz/zl+DH4ai138i0YIgzy4/3QF/zS4/9NHO34MfOyLXfhoAIASAgBqAP92CP/Ti330g34EAHQMaACAEgIAagD/dgT/01ZqAP9V8FD/119eW8nDEgAAEgAAEgAAEgAAEgAAEgAAEgAAEtEA
----- END SNIP -----
Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 7589803A KernelBase.dll VirtualProtect +0x2a
2 005F038A (anonymous; 2024年度个人所得税综合所得汇算清缴事项调整新政策.exe)
8b45f8 MOV EAX, [EBP-0x8]
43 INC EBX
83c628 ADD ESI, 0x28
8b38 MOV EDI, [EAX]
0fb74706 MOVZX EAX, WORD [EDI+0x6]
3bd8 CMP EBX, EAX
8b45f4 MOV EAX, [EBP-0xc]
0f8c40ffffff JL 0x5f02e2
5f POP EDI
5e POP ESI
5b POP EBX
c9 LEAVE
c3 RET
3 005F06B9 (anonymous; 2024年度个人所得税综合所得汇算清缴事项调整新政策.exe)
4 005F01BE (anonymous; 2024年度个人所得税综合所得汇算清缴事项调整新政策.exe)
5 005F0021 (anonymous; 2024年度个人所得税综合所得汇算清缴事项调整新政策.exe)
6 76AEFCC9 kernel32.dll BaseThreadInitThunk +0x19
7 772B7C5E ntdll.dll RtlGetAppContainerNamedObjectPath +0x11e
8 772B7C2E ntdll.dll RtlGetAppContainerNamedObjectPath +0xee
Loaded Modules (26)
-----------------------------------------------------------------------------
00400000-004C7000 2024年度个人所得税综合所得汇算清缴事项调整新政策.exe (),
version:
77250000-773F4000 ntdll.dll (Microsoft Corporation),
version: 10.0.19041.3996 (WinBuild.160101.0800)
74390000-744D4000 hmpalert.dll (Sophos B.V.),
version: 3.8.26.979
76AD0000-76BC0000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
75760000-7599A000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.19041.4170 (WinBuild.160101.0800)
6AC60000-6ACFF000 apphelp.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
76360000-764FC000 USER32.dll (Microsoft Corporation),
version: 10.0.19041.4170 (WinBuild.160101.0800)
768A0000-768B8000 win32u.dll (Microsoft Corporation),
version: 10.0.19041.4123 (WinBuild.160101.0800)
768C0000-768E3000 GDI32.dll (Microsoft Corporation),
version: 10.0.19041.3996 (WinBuild.160101.0800)
76720000-76805000 gdi32full.dll (Microsoft Corporation),
version: 10.0.19041.4123 (WinBuild.160101.0800)
75240000-752BB000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
769B0000-76AD0000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
750D0000-7514D000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.19041.4170 (WinBuild.160101.0800)
76DC0000-76E7F000 msvcrt.dll (Microsoft Corporation),
version: 7.0.19041.3636 (WinBuild.160101.0800)
76520000-76598000 sechost.dll (Microsoft Corporation),
version: 10.0.19041.4170 (WinBuild.160101.0800)
768F0000-769AE000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.19041.4123 (WinBuild.160101.0800)
76500000-76519000 bcrypt.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
75CA0000-76278000 SHELL32.dll (Microsoft Corporation),
version: 10.0.19041.4170 (WinBuild.160101.0800)
75150000-75233000 ole32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
76E80000-77100000 combase.dll (Microsoft Corporation),
version: 10.0.19041.4123 (WinBuild.160101.0800)
76BE0000-76C76000 OLEAUT32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
75A30000-75A75000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
72EA0000-732F5000 WININET.dll (Microsoft Corporation),
version: 11.00.19041.3636 (WinBuild.160101.0800)
76280000-762A6000 IMM32.DLL (Microsoft Corporation),
version: 10.0.19041.3996 (WinBuild.160101.0800)
75C30000-75C93000 ws2_32.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
74680000-746D2000 mswsock.dll (Microsoft Corporation),
version: 10.0.19041.3636 (WinBuild.160101.0800)
Process Trace
1 D:\2024年度个人所得税综合所得汇算清缴事项调整新政策\2024年度个人所得税综合所得汇算清缴事项调整新政策.exe [7436]
2 C:\Windows\explorer.exe [972]
Dropped Files
1 C:\Users\ak\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x00000000000000e5.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
2 C:\Users\ak\AppData\Roaming\kingsoft\nse\language\zh_CN.ts
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
Read by \Device\HarddiskVolume3\Windows\explorer.exe [972]
3 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn8249.tmp
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
4 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn8269.tmp
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
5 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
6 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
7 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
8 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
9 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
10 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
11 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
12 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
13 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
14 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
15 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
16 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
17 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
18 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
19 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
20 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
21 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
22 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
23 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
24 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
25 C:\USERS\AK\APPDATA\LOCAL\MICROSOFT\WINDOWS\EXPLORER\THUMBCACHE_256.DB
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
26 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
27 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
28 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
29 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
30 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
31 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
32 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
33 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
34 C:\Users\ak\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
35 C:\Users\ak\AppData\Roaming\Microsoft\Windows\Recent\infected.lnk
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
36 C:\Users\ak\AppData\Roaming\Microsoft\Windows\Recent\软件 (D).lnk
Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [972]
Thumbprints
8bd6f948a3254ef4fca30011a4e2ba17d012118b594ffab6987116ff2c877a13 (hhp-ownermodule)
dac22888208663594a58548041301d5b5cc47f3a8faed503c66facd3af295859 (hhp-fhsh-ownmod)
f849247d307ec06a3517c426254399603a3f8f31334060a7ff00b281365cd1c2 (hhp-pfn)
8bf4e93c913fdfd1ce13013ef8bec71b9d513d51d79fd90aea8261eec2f43ec5 (code)
|
发表于 2024-3-19 11:57:55
楼主