SmartHawk

8.2

高危

56 个模型检测该样本为恶意！

重新分析

下载样本

a02b84b2c2fad7ba6ccd785017e5f64fe9bd1251fc3fb3cc04175d5a904568b1

1fb6ab76126bf634cfd9ba1ed0e7d0ba.exe

分析耗时

86s

最近分析

文件大小

1.2MB

静态报毒动态报毒 100% AGEN ARTEMIS AUTORUNS BLUTEAL BYPASSUAC CONFIDENCE DELF DWEUSJDIF5P EFPU FILEREPMALWARE FQYMWD GENASA GENCIRC GENERICKD GENERICRXHT HCSQ HIGH CONFIDENCE MALWARE@#14TAODVNGI6DR MDROP NNGFA0RE3YOG QVM11 R + TROJ R06EC0DI220 R274540 REMCOS SCORE SIGGEN2 SKEEYAH STATIC AI SUSGEN SUSPICIOUS PE UNSAFE XGS2URGUZJK ZELPHIF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!1FB6AB76126B	20201228	6.0.6.653
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Alibaba	TrojanDropper:Win32/Skeeyah.5d71d992	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Tencent	Malware.Win32.Gencirc.114dc659	20201228	1.0.0.1
Kingsoft		20201228	2017.9.26.565
Avast	Win32:Trojan-gen	20201228	21.1.5827.0

The executable uses a known packer (1 个事件)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Resolves a suspicious Top Level Domain (TLD) (1 个事件)

domain

mrim.mail.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619269224.641567 NtAllocateVirtualMemory	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006a0000	success
1619279606.354751 NtAllocateVirtualMemory	process_identifier: 1344 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00480000	success
1619279608.261751 NtAllocateVirtualMemory	process_identifier: 1344 region_size: 671744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x10410000	success

Foreign language identified in PE resource (12 个事件)

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_BITMAP

language

LANG_ARABIC

offset

0x000ac984

filetype

empty

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000000e8

name

RT_MANIFEST

language

LANG_ARABIC

offset

0x0028a608

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_ARABIC_EGYPT

size

0x000002f0

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\TVoood.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\TVoood.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.920513391727898

section

{'size_of_data': '0x00109600', 'virtual_address': '0x00156000', 'entropy': 7.920513391727898, 'name': 'UPX1', 'virtual_size': '0x0010a000'}

description

A section with a high entropy has been found

entropy

0.8612576064908722

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 个事件)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (50 out of 627 个事件)

Time & API	Arguments	Status
1619279608.261751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 671744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x10410000	success
1619279608.276751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000f0000	success
1619279608.276751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00100000	success
1619279608.276751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00110000	success
1619279608.417751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00020000	success
1619279608.417751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00030000	success
1619279608.417751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00120000	success
1619279608.417751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00130000	success
1619279609.042751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00140000	success
1619279609.042751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00150000	success
1619279609.042751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00160000	success
1619279609.042751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00170000	success
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00220000	success
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00230000	success
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00240000	success
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00250000	success
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00260000	success
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002b0000	success
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002c0000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002d0000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002e0000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002f0000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00300000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00310000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00330000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00340000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00350000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00360000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00370000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00380000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00390000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003b0000	success
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003c0000	success
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003d0000	success
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003e0000	success
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003f0000	success
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00410000	success
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00420000	success
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00430000	success
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00440000	success
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00450000	success
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00460000	success
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00470000	success
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00480000	success
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00490000	success
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x004a0000	success
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x004b0000	success

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 158 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1344 created a remote thread in non-child process 1272
1619279608.292751 CreateRemoteThread	thread_identifier: 3056 process_identifier: 1272 function_address: 0x00110000 flags: 0 process_handle: 0x00000120 parameter: 0x00100000 stack_size: 0	success	308	0
1619279608.433751 CreateRemoteThread	thread_identifier: 1712 process_identifier: 1272 function_address: 0x00130000 flags: 0 process_handle: 0x00000120 parameter: 0x00120000 stack_size: 0	success	308	0
1619279609.042751 CreateRemoteThread	thread_identifier: 2040 process_identifier: 1272 function_address: 0x00170000 flags: 0 process_handle: 0x00000120 parameter: 0x00160000 stack_size: 0	success	304	0
1619279609.058751 CreateRemoteThread	thread_identifier: 624 process_identifier: 1272 function_address: 0x00250000 flags: 0 process_handle: 0x00000120 parameter: 0x00240000 stack_size: 0	success	312	0
1619279609.058751 CreateRemoteThread	thread_identifier: 1688 process_identifier: 1272 function_address: 0x002c0000 flags: 0 process_handle: 0x00000120 parameter: 0x002b0000 stack_size: 0	success	316	0
1619279609.167751 CreateRemoteThread	thread_identifier: 1056 process_identifier: 1272 function_address: 0x00300000 flags: 0 process_handle: 0x00000120 parameter: 0x002f0000 stack_size: 0	success	316	0
1619279609.167751 CreateRemoteThread	thread_identifier: 1812 process_identifier: 1272 function_address: 0x00340000 flags: 0 process_handle: 0x00000120 parameter: 0x00330000 stack_size: 0	success	320	0
1619279609.167751 CreateRemoteThread	thread_identifier: 2008 process_identifier: 1272 function_address: 0x00380000 flags: 0 process_handle: 0x00000120 parameter: 0x00370000 stack_size: 0	success	324	0
1619279609.183751 CreateRemoteThread	thread_identifier: 1940 process_identifier: 1272 function_address: 0x003b0000 flags: 0 process_handle: 0x00000120 parameter: 0x003a0000 stack_size: 0	success	328	0
1619279609.292751 CreateRemoteThread	thread_identifier: 1916 process_identifier: 1272 function_address: 0x003f0000 flags: 0 process_handle: 0x00000120 parameter: 0x003e0000 stack_size: 0	success	328	0
1619279609.308751 CreateRemoteThread	thread_identifier: 2032 process_identifier: 1272 function_address: 0x00430000 flags: 0 process_handle: 0x00000120 parameter: 0x00420000 stack_size: 0	success	332	0
1619279609.308751 CreateRemoteThread	thread_identifier: 880 process_identifier: 1272 function_address: 0x00470000 flags: 0 process_handle: 0x00000120 parameter: 0x00460000 stack_size: 0	success	336	0
1619279609.308751 CreateRemoteThread	thread_identifier: 1436 process_identifier: 1272 function_address: 0x004b0000 flags: 0 process_handle: 0x00000120 parameter: 0x004a0000 stack_size: 0	success	340	0
1619279609.323751 CreateRemoteThread	thread_identifier: 2952 process_identifier: 1272 function_address: 0x004f0000 flags: 0 process_handle: 0x00000120 parameter: 0x004e0000 stack_size: 0	success	344	0
1619279609.323751 CreateRemoteThread	thread_identifier: 916 process_identifier: 1272 function_address: 0x00730000 flags: 0 process_handle: 0x00000120 parameter: 0x00720000 stack_size: 0	success	348	0
1619279609.433751 CreateRemoteThread	thread_identifier: 2184 process_identifier: 1272 function_address: 0x00a00000 flags: 0 process_handle: 0x00000120 parameter: 0x00760000 stack_size: 0	success	348	0
1619279609.433751 CreateRemoteThread	thread_identifier: 2836 process_identifier: 1272 function_address: 0x00a40000 flags: 0 process_handle: 0x00000120 parameter: 0x00a30000 stack_size: 0	success	352	0
1619279609.433751 CreateRemoteThread	thread_identifier: 1196 process_identifier: 1272 function_address: 0x00a80000 flags: 0 process_handle: 0x00000120 parameter: 0x00a70000 stack_size: 0	success	356	0
1619279609.448751 CreateRemoteThread	thread_identifier: 1252 process_identifier: 1272 function_address: 0x00ac0000 flags: 0 process_handle: 0x00000120 parameter: 0x00ab0000 stack_size: 0	success	360	0
1619279609.448751 CreateRemoteThread	thread_identifier: 2428 process_identifier: 1272 function_address: 0x00b00000 flags: 0 process_handle: 0x00000120 parameter: 0x00af0000 stack_size: 0	success	364	0
1619279609.448751 CreateRemoteThread	thread_identifier: 1976 process_identifier: 1272 function_address: 0x00b40000 flags: 0 process_handle: 0x00000120 parameter: 0x00b30000 stack_size: 0	success	368	0
1619279609.464751 CreateRemoteThread	thread_identifier: 2960 process_identifier: 1272 function_address: 0x00b80000 flags: 0 process_handle: 0x00000120 parameter: 0x00b70000 stack_size: 0	success	372	0
1619279609.464751 CreateRemoteThread	thread_identifier: 2964 process_identifier: 1272 function_address: 0x00be0000 flags: 0 process_handle: 0x00000120 parameter: 0x00bd0000 stack_size: 0	success	376	0
1619279609.464751 CreateRemoteThread	thread_identifier: 2796 process_identifier: 1272 function_address: 0x00c20000 flags: 0 process_handle: 0x00000120 parameter: 0x00c10000 stack_size: 0	success	380	0
1619279609.464751 CreateRemoteThread	thread_identifier: 300 process_identifier: 1272 function_address: 0x02070000 flags: 0 process_handle: 0x00000120 parameter: 0x02060000 stack_size: 0	success	384	0
1619279609.464751 CreateRemoteThread	thread_identifier: 1100 process_identifier: 1272 function_address: 0x020b0000 flags: 0 process_handle: 0x00000120 parameter: 0x020a0000 stack_size: 0	success	388	0
1619279609.479751 CreateRemoteThread	thread_identifier: 692 process_identifier: 1272 function_address: 0x020f0000 flags: 0 process_handle: 0x00000120 parameter: 0x020e0000 stack_size: 0	success	392	0
1619279609.479751 CreateRemoteThread	thread_identifier: 2288 process_identifier: 1272 function_address: 0x02130000 flags: 0 process_handle: 0x00000120 parameter: 0x02120000 stack_size: 0	success	396	0
1619279609.479751 CreateRemoteThread	thread_identifier: 804 process_identifier: 1272 function_address: 0x02170000 flags: 0 process_handle: 0x00000120 parameter: 0x02160000 stack_size: 0	success	400	0
1619279609.479751 CreateRemoteThread	thread_identifier: 2012 process_identifier: 1272 function_address: 0x021b0000 flags: 0 process_handle: 0x00000120 parameter: 0x021a0000 stack_size: 0	success	404	0
1619279609.479751 CreateRemoteThread	thread_identifier: 1304 process_identifier: 1272 function_address: 0x021f0000 flags: 0 process_handle: 0x00000120 parameter: 0x021e0000 stack_size: 0	success	408	0
1619279609.495751 CreateRemoteThread	thread_identifier: 1072 process_identifier: 1272 function_address: 0x02230000 flags: 0 process_handle: 0x00000120 parameter: 0x02220000 stack_size: 0	success	412	0
1619279609.495751 CreateRemoteThread	thread_identifier: 2840 process_identifier: 1272 function_address: 0x02270000 flags: 0 process_handle: 0x00000120 parameter: 0x02260000 stack_size: 0	success	416	0
1619279609.495751 CreateRemoteThread	thread_identifier: 2584 process_identifier: 1272 function_address: 0x022b0000 flags: 0 process_handle: 0x00000120 parameter: 0x022a0000 stack_size: 0	success	420	0
1619279609.495751 CreateRemoteThread	thread_identifier: 1364 process_identifier: 1272 function_address: 0x022f0000 flags: 0 process_handle: 0x00000120 parameter: 0x022e0000 stack_size: 0	success	424	0
1619279609.495751 CreateRemoteThread	thread_identifier: 952 process_identifier: 1272 function_address: 0x02330000 flags: 0 process_handle: 0x00000120 parameter: 0x02320000 stack_size: 0	success	428	0
1619279609.511751 CreateRemoteThread	thread_identifier: 2516 process_identifier: 1272 function_address: 0x02370000 flags: 0 process_handle: 0x00000120 parameter: 0x02360000 stack_size: 0	success	432	0
1619279609.511751 CreateRemoteThread	thread_identifier: 2496 process_identifier: 1272 function_address: 0x023b0000 flags: 0 process_handle: 0x00000120 parameter: 0x023a0000 stack_size: 0	success	436	0
1619279609.526751 CreateRemoteThread	thread_identifier: 2988 process_identifier: 1272 function_address: 0x023f0000 flags: 0 process_handle: 0x00000120 parameter: 0x023e0000 stack_size: 0	success	440	0
1619279609.526751 CreateRemoteThread	thread_identifier: 2860 process_identifier: 1272 function_address: 0x02430000 flags: 0 process_handle: 0x00000120 parameter: 0x02420000 stack_size: 0	success	444	0
1619279609.526751 CreateRemoteThread	thread_identifier: 2168 process_identifier: 1272 function_address: 0x02470000 flags: 0 process_handle: 0x00000120 parameter: 0x02460000 stack_size: 0	success	448	0
1619279609.526751 CreateRemoteThread	thread_identifier: 2864 process_identifier: 1272 function_address: 0x024b0000 flags: 0 process_handle: 0x00000120 parameter: 0x024a0000 stack_size: 0	success	452	0
1619279609.526751 CreateRemoteThread	thread_identifier: 2248 process_identifier: 1272 function_address: 0x024f0000 flags: 0 process_handle: 0x00000120 parameter: 0x024e0000 stack_size: 0	success	456	0
1619279609.526751 CreateRemoteThread	thread_identifier: 176 process_identifier: 1272 function_address: 0x02530000 flags: 0 process_handle: 0x00000120 parameter: 0x02520000 stack_size: 0	success	460	0
1619279609.526751 CreateRemoteThread	thread_identifier: 1060 process_identifier: 1272 function_address: 0x02570000 flags: 0 process_handle: 0x00000120 parameter: 0x02560000 stack_size: 0	success	464	0
1619279609.573751 CreateRemoteThread	thread_identifier: 1664 process_identifier: 1272 function_address: 0x025b0000 flags: 0 process_handle: 0x00000120 parameter: 0x025a0000 stack_size: 0	success	468	0
1619279609.589751 CreateRemoteThread	thread_identifier: 1484 process_identifier: 1272 function_address: 0x025f0000 flags: 0 process_handle: 0x00000120 parameter: 0x025e0000 stack_size: 0	success	472	0
1619279609.620751 CreateRemoteThread	thread_identifier: 2212 process_identifier: 1272 function_address: 0x02630000 flags: 0 process_handle: 0x00000120 parameter: 0x02620000 stack_size: 0	success	476	0
1619279609.620751 CreateRemoteThread	thread_identifier: 1300 process_identifier: 1272 function_address: 0x02670000 flags: 0 process_handle: 0x00000120 parameter: 0x02660000 stack_size: 0	success	480	0

Manipulates memory of a non-child process indicative of process injection (50 out of 628 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1344 manipulating memory of non-child process 1272
1619279608.261751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 671744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x10410000	success	0	0
1619279608.276751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000f0000	success	0	0
1619279608.276751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00100000	success	0	0
1619279608.276751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00110000	success	0	0
1619279608.417751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00020000	success	0	0
1619279608.417751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00030000	success	0	0
1619279608.417751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00120000	success	0	0
1619279608.417751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00130000	success	0	0
1619279609.042751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00140000	success	0	0
1619279609.042751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00150000	success	0	0
1619279609.042751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00160000	success	0	0
1619279609.042751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00170000	success	0	0
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00220000	success	0	0
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00230000	success	0	0
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00240000	success	0	0
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00250000	success	0	0
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00260000	success	0	0
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002b0000	success	0	0
1619279609.058751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002c0000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002d0000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002e0000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x002f0000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00300000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00310000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00330000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00340000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00350000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00360000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00370000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00380000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00390000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success	0	0
1619279609.167751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003b0000	success	0	0
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003c0000	success	0	0
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003d0000	success	0	0
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003e0000	success	0	0
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003f0000	success	0	0
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00410000	success	0	0
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00420000	success	0	0
1619279609.292751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00430000	success	0	0
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00440000	success	0	0
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00450000	success	0	0
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00460000	success	0	0
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00470000	success	0	0
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00480000	success	0	0
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00490000	success	0	0
1619279609.308751 NtAllocateVirtualMemory	process_identifier: 1272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x004a0000	success	0	0

Potential code injection by writing to the memory of another process (50 out of 627 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1344 injected into non-child 1272
1619279608.276751 WriteProcessMemory	process_identifier: 1272 buffer: oleaut32.dll process_handle: 0x00000120 base_address: 0x000f0000	success	1	0
1619279608.276751 WriteProcessMemory	process_identifier: 1272 buffer: ×I5v process_handle: 0x00000120 base_address: 0x00100000	success	1	0
1619279608.276751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄøEUøPUüÿuüÿUøYY]Â@UìÄôSVUüðEüè{Àúÿ3ÀUhÆEdÿ0d 3ÛhØEhèEè«ÞúÿPèÞúÿEôEüèVÀúÿÐÆè þÿÿEøjjMôºEÆèÛþÿÿÀtPèqÝúÿ³jdèpßúÿ3ÀZYYdhÍEEüèO»úÿÃ process_handle: 0x00000120 base_address: 0x00110000	success	1	0
1619279608.417751 WriteProcessMemory	process_identifier: 1272 buffer: SysFreeString process_handle: 0x00000120 base_address: 0x00020000	success	1	0
1619279608.417751 WriteProcessMemory	process_identifier: 1272 buffer: oleaut32.dll process_handle: 0x00000120 base_address: 0x00030000	success	1	0
1619279608.417751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5v process_handle: 0x00000120 base_address: 0x00120000	success	1	0
1619279608.417751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x00130000	success	1	0
1619279609.042751 WriteProcessMemory	process_identifier: 1272 buffer: SysReAllocStringLen process_handle: 0x00000120 base_address: 0x00140000	success	1	0
1619279609.042751 WriteProcessMemory	process_identifier: 1272 buffer: oleaut32.dll process_handle: 0x00000120 base_address: 0x00150000	success	1	0
1619279609.042751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5v process_handle: 0x00000120 base_address: 0x00160000	success	1	0
1619279609.042751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x00170000	success	1	0
1619279609.058751 WriteProcessMemory	process_identifier: 1272 buffer: SysAllocStringLen process_handle: 0x00000120 base_address: 0x00220000	success	1	0
1619279609.058751 WriteProcessMemory	process_identifier: 1272 buffer: oleaut32.dll process_handle: 0x00000120 base_address: 0x00230000	success	1	0
1619279609.058751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5v#" process_handle: 0x00000120 base_address: 0x00240000	success	1	0
1619279609.058751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x00250000	success	1	0
1619279609.058751 WriteProcessMemory	process_identifier: 1272 buffer: advapi32.dll process_handle: 0x00000120 base_address: 0x00260000	success	1	0
1619279609.058751 WriteProcessMemory	process_identifier: 1272 buffer: ×I5v& process_handle: 0x00000120 base_address: 0x002b0000	success	1	0
1619279609.058751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄøEUøPUüÿuüÿUøYY]Â@UìÄôSVUüðEüè{Àúÿ3ÀUhÆEdÿ0d 3ÛhØEhèEè«ÞúÿPèÞúÿEôEüèVÀúÿÐÆè þÿÿEøjjMôºEÆèÛþÿÿÀtPèqÝúÿ³jdèpßúÿ3ÀZYYdhÍEEüèO»úÿÃ process_handle: 0x00000120 base_address: 0x002c0000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: RegQueryValueExA process_handle: 0x00000120 base_address: 0x002d0000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: advapi32.dll process_handle: 0x00000120 base_address: 0x002e0000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5v.- process_handle: 0x00000120 base_address: 0x002f0000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x00300000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: RegOpenKeyExA process_handle: 0x00000120 base_address: 0x00310000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: advapi32.dll process_handle: 0x00000120 base_address: 0x00320000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5v21 process_handle: 0x00000120 base_address: 0x00330000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x00340000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: RegCloseKey process_handle: 0x00000120 base_address: 0x00350000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: advapi32.dll process_handle: 0x00000120 base_address: 0x00360000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5v65 process_handle: 0x00000120 base_address: 0x00370000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x00380000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: user32.dll process_handle: 0x00000120 base_address: 0x00390000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: ×I5v9 process_handle: 0x00000120 base_address: 0x003a0000	success	1	0
1619279609.167751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄøEUøPUüÿuüÿUøYY]Â@UìÄôSVUüðEüè{Àúÿ3ÀUhÆEdÿ0d 3ÛhØEhèEè«ÞúÿPèÞúÿEôEüèVÀúÿÐÆè þÿÿEøjjMôºEÆèÛþÿÿÀtPèqÝúÿ³jdèpßúÿ3ÀZYYdhÍEEüèO»úÿÃ process_handle: 0x00000120 base_address: 0x003b0000	success	1	0
1619279609.292751 WriteProcessMemory	process_identifier: 1272 buffer: GetKeyboardType process_handle: 0x00000120 base_address: 0x003c0000	success	1	0
1619279609.292751 WriteProcessMemory	process_identifier: 1272 buffer: user32.dll process_handle: 0x00000120 base_address: 0x003d0000	success	1	0
1619279609.292751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5v=< process_handle: 0x00000120 base_address: 0x003e0000	success	1	0
1619279609.292751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x003f0000	success	1	0
1619279609.292751 WriteProcessMemory	process_identifier: 1272 buffer: DestroyWindow process_handle: 0x00000120 base_address: 0x00400000	success	1	0
1619279609.292751 WriteProcessMemory	process_identifier: 1272 buffer: user32.dll process_handle: 0x00000120 base_address: 0x00410000	success	1	0
1619279609.292751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5vA@ process_handle: 0x00000120 base_address: 0x00420000	success	1	0
1619279609.292751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x00430000	success	1	0
1619279609.308751 WriteProcessMemory	process_identifier: 1272 buffer: LoadStringA process_handle: 0x00000120 base_address: 0x00440000	success	1	0
1619279609.308751 WriteProcessMemory	process_identifier: 1272 buffer: user32.dll process_handle: 0x00000120 base_address: 0x00450000	success	1	0
1619279609.308751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5vED process_handle: 0x00000120 base_address: 0x00460000	success	1	0
1619279609.308751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x00470000	success	1	0
1619279609.308751 WriteProcessMemory	process_identifier: 1272 buffer: MessageBoxA process_handle: 0x00000120 base_address: 0x00480000	success	1	0
1619279609.308751 WriteProcessMemory	process_identifier: 1272 buffer: user32.dll process_handle: 0x00000120 base_address: 0x00490000	success	1	0
1619279609.308751 WriteProcessMemory	process_identifier: 1272 buffer: ÕØw"5vE5vIH process_handle: 0x00000120 base_address: 0x004a0000	success	1	0
1619279609.308751 WriteProcessMemory	process_identifier: 1272 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀUìÄàSVWùUüØu3ÀEøh Eh´Eè;ÜúÿPè=ÜúÿEèhÀEh´Eè#ÜúÿPè%ÜúÿEähÐEh´EèÜúÿPè ÜúÿEàþu}ðëÎ×ÃèåûÿÿEðUüÃè<ûÿÿEìjjMàºxEÃèüÿÿØÛt$jÿSèÌÜúÿEôPSèZÛúÿEôEøEø_^[å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadUìÄøUøEüEüèÀÉúÿEøèÌ¼úÿ3ÀUhjEdÿ0d EüèMÇúÿ@PEü¹EèÉúÿÄEüè-ÇúÿUüDüUøè"¸úÿ3ÀZYYdhqEEøè¹·úÿEüEèãÈúÿÃ process_handle: 0x00000120 base_address: 0x004b0000	success	1	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

94.100.180.228:443

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Autoruns.GenericKD.42825224
McAfee	Artemis!1FB6AB76126B
Cylance	Unsafe
Sangfor	Malware
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanDropper:Win32/Skeeyah.5d71d992
K7GW	Trojan ( 0054f7b31 )
K7AntiVirus	Trojan ( 0054f7b31 )
BitDefenderTheta	Gen:NN.ZelphiF.34700.nnGfa0rE3yoG
Cyren	W32/Trojan.HCSQ-7231
Symantec	Trojan Horse
TrendMicro-HouseCall	TROJ_GEN.R06EC0DI220
Paloalto	generic.ml
ClamAV	Win.Trojan.Remcos-6987786-0
Kaspersky	HEUR:Backdoor.Win32.Remcos.gen
BitDefender	Trojan.Autoruns.GenericKD.42825224
NANO-Antivirus	Trojan.Win32.Remcos.fqymwd
APEX	Malicious
Tencent	Malware.Win32.Gencirc.114dc659
Ad-Aware	Trojan.Autoruns.GenericKD.42825224
Emsisoft	Trojan.Autoruns.GenericKD.42825224 (B)
Comodo	Malware@#14taodvngi6dr
F-Secure	Heuristic.HEUR/AGEN.1128746
DrWeb	Trojan.PWS.Siggen2.16813
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06EC0DI220
McAfee-GW-Edition	GenericRXHT-NO!4CA502CA7F4A
FireEye	Generic.mg.1fb6ab76126bf634
Sophos	Mal/Generic-R + Troj/Mdrop-IQY
Ikarus	Trojan.Win32.Injector
GData	Trojan.Autoruns.GenericKD.42825224
Jiangmin	Backdoor.Remcos.om
eGambit	Unsafe.AI_Score_99%
Avira	HEUR/AGEN.1128746
Antiy-AVL	Trojan[Backdoor]/Win32.Remcos
Arcabit	Trojan.Autoruns.Generic.D28D7608
AegisLab	Trojan.Win32.Remcos.m!c
ZoneAlarm	HEUR:Backdoor.Win32.Remcos.gen
Microsoft	Trojan:Win32/Skeeyah.A!bit
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Remcos.R274540
ALYac	Trojan.Autoruns.GenericKD.42825224
VBA32	Backdoor.Remcos
Avast	Win32:Trojan-gen
ESET-NOD32	a variant of Win32/TrojanDropper.Delf.OTK
Rising	Exploit.BypassUAC!8.87F5 (TFE:4:DweusJDIf5P)
Yandex	Trojan.GenAsa!Xgs2urgUzJk
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.9833444.susgen

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:

• 0x68a9e8 LoadLibraryA

• 0x68a9ec GetProcAddress

• 0x68a9f0 VirtualProtect

• 0x68a9f4 ExitProcess

Library advapi32.dll:

• 0x68a9fc RegCloseKey

Library comctl32.dll:

• 0x68aa04 ImageList_Add

Library gdi32.dll:

• 0x68aa0c SaveDC

Library oleaut32.dll:

• 0x68aa14 VariantCopy

Library shell32.dll:

• 0x68aa1c ShellExecuteA

Library shfolder.dll:

• 0x68aa24 SHGetFolderPathA

Library user32.dll:

• 0x68aa2c GetDC

Library version.dll:

• 0x68aa34 VerQueryValueA

Library winspool.drv:

• 0x68aa3c OpenPrinterA

Library wsock32.dll:

• 0x68aa44 recv

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
mrim.mail.ru	A 217.69.139.225 A 94.100.180.228	217.69.139.225
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.