是不是同一个东西换壳,每次hmpa的拦截点都一样Mitigation HeapHeapProtect
Timestamp 2025-07-11T02:24:29
Platform 10.0.22631/x64 v2019 06_a5%
PID 10400
Feature 00FD2F70000001A2
Application C:\Users\Lenovo\Downloads\20250711银狐1x\bii.968128004.exe
Created 2025-07-11T02:11:35
Description OutlookAttachView 3.54
Callee Type ProtectVirtualMemory
0x0000000000950000 (39429 bytes)
Shellcode (HHP) (0x00009A05 bytes : start at 0000000000950000)
Target address info: (anonymous)
Owner of CALLER: (anonymous; allocated by 0000000140002A55, bii.968128004.exe)
OwnerModule
Name bii.968128004.exe
Path C:\Users\Lenovo\Downloads\20250711银狐1x\bii.968128004.exe
Thumbprint f7aa8048650d5a83c724db5dfeb169c9d96466414c20508242b00d960cb37231
SHA-256 8867ee0ebd2420479d88f9a39b3a3188f6ec7997e52244b38442d33d34848d57
SHA-1 d35b6035587327c14fde989a41ad6101895fa028
MD5 1c1d949667f8defee6608a6b814d0307
Current process is not signed
OwnerModule is not signed
00000000007BB7B5 ff9424a0000000 CALL QWORD [RSP+0xa0]
00000000007BB7BC 85c0 TEST EAX, EAX
00000000007BB7BE 753c JNZ 0x7bb7fc
00000000007BB7C0 c744243000000000 MOV DWORD [RSP+0x30], 0x0
00000000007BB7C8 eb0a JMP 0x7bb7d4
00000000007BB7CA 8b442430 MOV EAX, [RSP+0x30]
00000000007BB7CE ffc0 INC EAX
00000000007BB7D0 89442430 MOV [RSP+0x30], EAX
00000000007BB7D4 837c243064 CMP DWORD [RSP+0x30], 0x64
00000000007BB7D9 7d1f JGE 0x7bb7fa
00000000007BB7DB 4863442430 MOVSXD RAX, DWORD [RSP+0x30]
00000000007BB7E0 41b800800000 MOV R8D, 0x8000
00000000007BB7E6 33d2 XOR EDX, EDX
00000000007BB7E8 488b8cc4b0000000 MOV RCX, [RSP+RAX*8+0xb0]
----- SNIP HERE -----
AAIRAQCwewAAAAAAtbd7AAAAAAAAsHsAAAAAAAAQAACUJMARAwBMjYQksBEDALoIEQMASIvI/5QkyBEDAIXAdFFIjYQkuBEDAEiJRCQgQbkEEQMATI2EJKwRAwC6FBEDAEiLjCSwEQMA/5Qk0BEDAIXAdA6LhCSsEQMAiYQkqBEDAEiLjCSwEQMA/5Qk2BEDAJCLhCSoEQMASIHE6BEDAMMRAsxAV0iB7FACEQIAx4QkoBEHAOjH/BEC/4XAD4WIAxECAMZEJCBrxkQkIWXGRCQicsZEJCNuxkQRAiRlxkQkJWzGRCQmM8ZEJCcyxkQkKC7GRCQpZMZEJCpsxkQkK2zGRCQsAMZEJDBFxkQkMXjGRCQyacZEJDN0xkQkNFDGRCQ1csZEJDZvxkQkN2PGRCQ4ZcZEJDlzxkQkOnPGRCQ7AEiNVCQwSI1MJCDo0/YRAv9IiYQkwBEDAMZEJHBHxkQkcWXGRCRydMZEJHNNxkQkdG/GRCR1ZMZEJHZ1xkQkd2zGRCR4ZcZEJHlGxkQkemnGRCR7bMZEJHxlxkQkfU7GRCR+YcZEJH9txoQkgBEDAGXGhCSBEQMAQcaEJIIRBABIjVQkcEiNTCQg6FT2EQL/SImEJKgRAwDGRCRAU8ZEJEFoxkQkQmXGRCRDbMZEJERsxkQkRTPGRCRGMsZEJEcuxkQkSGTGRCRJbMZEJEpsxkQkSwDGRCRgU8ZEJGFoxkQkYmXGRCRjbMZEJGRsxkQkZUXGRCRmeMZEJGdlxkQkaGPGRCRpdcZEJGp0xkQka2XGRCRsRcZEJG14xkQkbkHGRCRvAEiNVCRgSI1MJEDosfURAv9IiYQksBEDAMZEJFBDxkQkUWzGRCRSb8ZEJFNzxkQkVGXGRCRVSMZEJFZhxkQkV27GRCRYZMZEJFlsxkQkWmXGRCRbAEiNVCRQSI1MJCDoXvURAv9IiYQkuBEDAMaEJIgRAwBXxoQkiREDAGHGhCSKEQMAacaEJIsRAwB0xoQkjBEDAEbGhCSNEQMAb8aEJI4RAwByxoQkjxEDAFPGhCSQEQMAacaEJJERAwBuxoQkkhEDAGfGhCSTEQMAbMaEJJQRAwBlxoQklREDAE/GhCSWEQMAYsaEJJcRAwBqxoQkmBEDAGXGhCSZEQMAY8aEJJoRAwB0xoQkmxEEAEiNlCSIEQMASI1MJCDopPQRAv9IiYQkyBEDAIO8JKARBAAPha0RAwBBuAQBEQIASI2UJEABEQIAM8n/lCSoEQMASI2EJNARAwBIi/gzwLlwEQMA86rHhCTQEQMAcBEDAMeEJNQRAwBAEQMASI0FquYRAv9IiYQk4BEDAEiNhCRAARECAEiJhCToEQMASI0FTwYRAgBIiYQk8BEDAMeEJAABEQYASI2MJNARAwD/lCSwEQMAhcB0G8eEJKARAwABEQMASIuMJDgBEQIA/5QkuBEDAJDpRRED/zPJ/5QkwBEDAJBIgcRQAhECAF/DEQ7MTIlEJBhIiVQkEEiJTCQISIPsKMcEJBEEAEiLRCRASIlEJBhIx0QkEBEE/0j/RCQQSItEJBhIi0wkEIA8CAB160iLRCQQiUQkBEjHRCQIEQQA6w1Ii0QkCEj/wEiJRCQISItEJDhIOUQkCHNQi0QkBDkEJHUHxwQkEQQASGMEJEiLTCRAD74EAUiLTCQISItUJDBIA9FIi8oPvgkzyIvBSItMJAhIi1QkMEgD0UiLyogBiwQk/8CJBCTrl0iDxCjDEQzMSIlMJAhIgezYAxECAMZEJDhrxkQkOWXGRCQ6csZEJDtuxkQkPGXGRCQ9bMZEJD4zxkQkPzLGRCRALsZEJEFkxkQkQmzGRCRDbMZEJEQAxkQkWFbGRCRZacZEJFpyxkQkW3TGRCRcdcZEJF1hxkQkXmzGRCRfQcZEJGBsxkQkYWzGRCRib8ZEJBECY8ZEJGQAxkQkaFbGRCQRAmnGRCRqcsZEJGt0xkQkbHXGRCRtYcZEJG5sxkQkb1DGRCRwcsZEJHFvxkQkcnTGRCRzZcZEJHRjxkQkdXTGRCR2AMZEJEhWxkQkSWnGRCRKcsZEJEt0xkQkTHXGRCRNYcZEJE5sxkQkT0bGRCRQcsZEJFFlxkQkUmXGRCRTAEiNVCRYSI1MJDjozPERAv9IiYQkkBEDAEiNVCRoSI1MJDjotfERAv9IiYQkoBEDAEiNVCQRAkiNTCQ46J7xEQL/SImEJIARAwDHRCR4EQQA6wqLRCR4/8CJRCR4g3wkeAUPjbcBEQIAx0QkIBEEAOsKi0QkIP/AiUQkIIN8JCBkD43MEQMAQbkEEQMAQbgAMBECAEiLlCTgAxECADPJ/5QkkBEDAEhjTCQgSImEzLARAwBIY0QkIEiDvMSwEQQAdULHRBECJBEEAOsKi0QRAiT/wIlEEQIki0QkIDlEEQIkfR9IY0QRAiRBuACAEQIAM9JIi4zEsBEDAP+UJIARAwCQ683pHAERAgBIY0QkIEiLhMSwEQMASImEJJgRAwDHRCQoEQQA6wqLRCQo/8CJRCQoSGNEJChIO4Qk4AMRAgBzE0hjRCQoSIuMJJgRAwDGBAEj69TpHxED/8dEJCwRBADrCotEJCz/wIlEJCyDfCQsZH1sSGNEJCxMjYwkiBEDAEG4QBEDAEiLlCTgAxECAEiLjMSwEQMA/5QkoBEDAIXAdTzHRCQwEQQA6wqLRCQw/8CJRCQwg3wkMGR9H0hjRCQwQbgAgBECADPSSIuMxLARAwD/lCSAEQMAkOvQ60frg8dEJDQRBADrCotEJDT/wIlEJDSDfCQ0ZH0lSGNEJDRBuACAEQIAM9JIi4zEsBEDAP+UJIARAwCJhCSMEQMA68rpNP4RAv9IgcTYAxECAMMRCMxAV0iD7GDGRCRIUMZEJElmxkQkSnjGRCRLScZEJExuxkQkTWnGRCROdMZEJE9pxkQkUGHGRCRRbMZEJFJpxkQkU3rGRCRUZcZEJFUAxkQkKG7GRCQpdMZEJCpkxkQkK2zGRCQsbMZEJC0uxkQkLmTGRCQvbMZEJDBsxkQkMQBIjVQkEQJIjUwkKOgj7xEC/0iJRCQgSI1EJDhIi/gzwLkMEQMA86pIjUwkOP9UJCCBfCQ4AAIRAgB1BjPA6wfrBbgBEQMASIPEYF/DEQnMRIlEJBhIiVQkEEiJTCQISIPsKEiLRCQ4SIlEJBBIi0QkMEiJRCQIi0QkQIkEJItEJED/yIlEJECDPCQAdCtIi0QkCEiLTCQQD7YJiAhIi0QkCEj/wEiJRCQISItEJBBI/8BIiUQkEOu+SItEJDBIg8Qow8wBBwIABwElAAEEAQAEohECAAEEAQAEIhECAAEEAQAEwhECAAEEAQAEQhECAAEJAQAJIhECAAENAQANQhECAAENAQANwhECAAEKAwAKwgZwBWARAgABDgEADqIRAgABCwIACwEXAAEHAgAHARcAAQcCAAcBHQABCQMACQFKAAJwEQIAARMBABNCEQIAAQwCAAwBewABBgIABrICcBEMAEiLBCRIg+wIVUiJ5UiD7Hn4SInsXcFADljBSBJxgUAWrULiXfj3UBr/4EUPKLY7DOsBpkFXTA9D+EFfQYFtE7/wtEJBVcPrAOsC8V5BgUEY2JTXLEFRwxEAABEAABEAABEAABEAABF2AA==
----- END SNIP -----
Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFB4A847376 KernelBase.dll VirtualProtect +0x36
2 00000000007BB7BC (anonymous; bii.968128004.exe)
85c0 TEST EAX, EAX
753c JNZ 0x7bb7fc
c744243000000000 MOV DWORD [RSP+0x30], 0x0
eb0a JMP 0x7bb7d4
3 0000000000009A05 (unknown)
Loaded Modules (29)
-----------------------------------------------------------------------------
0000000140000000-0000000144FCC000 bii.968128004.exe (NirSoft),
version: 3.54
00007FFB4D0D0000-00007FFB4D2E7000 ntdll.dll (Microsoft Corporation),
version: 10.0.22621.5624 (WinBuild.160101.0800)
00007FFAF4B50000-00007FFAF4C89000 hmpalert.dll (Sophos B.V.),
version: 3.20.2.2019
00007FFB4BCC0000-00007FFB4BD84000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.22621.5415 (WinBuild.160101.0800)
00007FFB4A7E0000-00007FFB4ABB2000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.22621.5547 (WinBuild.160101.0800)
00007FFB0B170000-00007FFB0B24B000 bdhkm64.dll (BitDefender S.R.L. Bucha),
version: 1.11.236.0 #0x3d65324
00007FFB00350000-00007FFB00519000 atcuf64.dll (Bitdefender S.R.L. Bucha),
version: 1.75.422.0 #0x1fcf7d72c
00007FFB44BD0000-00007FFB44C67000 apphelp.dll (Microsoft Corporation),
version: 10.0.22621.5547 (WinBuild.160101.0800)
00007FFB4B820000-00007FFB4B9D1000 USER32.dll (Microsoft Corporation),
version: 10.0.22621.5415 (WinBuild.160101.0800)
00007FFB4ABC0000-00007FFB4ABE6000 win32u.dll (Microsoft Corporation),
version: 10.0.22621.5624 (WinBuild.160101.0800)
00007FFB4CEA0000-00007FFB4CEC9000 GDI32.dll (Microsoft Corporation),
version: 10.0.22621.5185 (WinBuild.160101.0800)
00007FFB4A360000-00007FFB4A483000 gdi32full.dll (Microsoft Corporation),
version: 10.0.22621.5624 (WinBuild.160101.0800)
00007FFB4A1C0000-00007FFB4A25A000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.22621.3374 (WinBuild.160101.0800)
00007FFB4A550000-00007FFB4A661000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.22621.3593 (WinBuild.160101.0800)
00007FFB4B290000-00007FFB4B395000 comdlg32.dll (Microsoft Corporation),
version: 10.0.22621.5547 (WinBuild.160101.0800)
00007FFB4BE70000-00007FFB4C203000 combase.dll (Microsoft Corporation),
version: 10.0.22621.5624 (WinBuild.160101.0800)
00007FFB4B0B0000-00007FFB4B1C4000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.22621.5413 (WinBuild.160101.0800)
00007FFB4C2F0000-00007FFB4C3FC000 shcore.dll (Microsoft Corporation),
version: 10.0.22621.5547 (WinBuild.160101.0800)
00007FFB4BD90000-00007FFB4BDF9000 SHLWAPI.dll (Microsoft Corporation),
version: 10.0.22621.5547 (WinBuild.160101.0800)
00007FFB4BB50000-00007FFB4BBF7000 msvcrt.dll (Microsoft Corporation),
version: 7.0.22621.2506 (WinBuild.160101.0800)
00007FFB4C5F0000-00007FFB4CE92000 SHELL32.dll (Microsoft Corporation),
version: 10.0.22621.5547 (WinBuild.160101.0800)
00007FFB4A670000-00007FFB4A7AF000 wintypes.dll (Microsoft Corporation),
version: 10.0.22621.5262 (WinBuild.160101.0800)
00007FFB4CF30000-00007FFB4CFE1000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.22621.5624 (WinBuild.160101.0800)
00007FFB4BC00000-00007FFB4BCA8000 sechost.dll (Microsoft Corporation),
version: 10.0.22621.5415 (WinBuild.160101.0800)
00007FFB4A7B0000-00007FFB4A7D8000 bcrypt.dll (Microsoft Corporation),
version: 10.0.22621.4746 (WinBuild.160101.0800)
00007FFB4AD60000-00007FFB4AF00000 ole32.dll (Microsoft Corporation),
version: 10.0.22621.5415 (WinBuild.160101.0800)
00007FFB2D750000-00007FFB2D9EB000 COMCTL32.dll (Microsoft Corporation),
version: 6.10 (WinBuild.160101.0800)
00007FFB464C0000-00007FFB464CA000 VERSION.dll (Microsoft Corporation),
version: 10.0.22621.1 (WinBuild.160101.0800)
00007FFB4AFE0000-00007FFB4B011000 IMM32.DLL (Microsoft Corporation),
version: 10.0.22621.5185 (WinBuild.160101.0800)
Process Trace
1 C:\Users\Lenovo\Downloads\20250711银狐1x\bii.968128004.exe [10400]
2 C:\Users\Lenovo\Downloads\20250711银狐1x\bii.968128004.exe [17776]
3 C:\Windows\explorer.exe [9960]
Dropped Files
Thumbprints
f7aa8048650d5a83c724db5dfeb169c9d96466414c20508242b00d960cb37231 (hhp-ownermodule)
c2d5f1fda2fdf09727d88cb17448f06e6c577a38f4c963e54d0ef73bd932ac6a (hhp-fhsh-ownmod)
8bd6282297e86da22e2023115e4b77d8ccd59e6f5a76cc67ea2423253cf946bb (hhp-pfn)
7b68d3fd63389518efe063254713a11fadabde10073cad12842e7662c41a85e5 (code) |
发表于 2025-7-11 10:09:21
楼主
