SmartHawk

15.0

0-day

61 个模型检测该样本为恶意！

重新分析

下载样本

dadd0d7d480d15bb718d82ff012ace97f16fb4a2a6862dc5ad04e9b2b95380cc

3ce7f45f3e96898bf0de39c7f3caa10d.exe

分析耗时

76s

最近分析

文件大小

355.5KB

静态报毒动态报毒 100% A + MAL AI SCORE=81 AIDETECTVM ATTRIBUTE AXSV BSCOPE CARBERP CLASSIC CONFIDENCE ELDORADO EMOGEN ESRGLB FDOB GENASA HIGH CONFIDENCE HIGHCONFIDENCE HIJACKER IBANK MALICIOUS PE MALWARE1 SCORE SHIZ SIMDA SPYSHIZ STATIC AI SUSGEN TROJANPSW UNSAFE WQW@AK4J0CI XDLQGVFONP0 ZEXAF ZUSY ZV@6LDVXF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Backdoor:Win32/Simda.79a1a15c	20190527	0.3.0.5
Baidu	Win32.Trojan-Spy.Shiz.b	20190318	1.0.0.2
Avast	Win32:Shiz-JT [Trj]	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
McAfee	BackDoor-FDOB!3CE7F45F3E96	20201211	6.0.6.653
Tencent	Backdoor.Win32.Generic.a	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1620743890.609875 GetComputerNameA	computer_name: OSKAR-PC	success	1
1620743891.624375 GetComputerNameA	computer_name: OSKAR-PC	success	1
1620743891.702375 GetComputerNameA	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (20 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726219.923046 IsDebuggerPresent		failed	0	0
1620743890.171875 IsDebuggerPresent		failed	0	0
1620743892.546875 IsDebuggerPresent		failed	0	0
1620743892.702875 IsDebuggerPresent		failed	0	0
1620743892.906875 IsDebuggerPresent		failed	0	0
1620743893.624875 IsDebuggerPresent		failed	0	0
1620743893.671875 IsDebuggerPresent		failed	0	0
1620743893.812875 IsDebuggerPresent		failed	0	0
1620743893.952875 IsDebuggerPresent		failed	0	0
1620743894.046875 IsDebuggerPresent		failed	0	0
1620743894.124875 IsDebuggerPresent		failed	0	0
1620743894.140875 IsDebuggerPresent		failed	0	0
1620743894.327875 IsDebuggerPresent		failed	0	0
1620743894.359875 IsDebuggerPresent		failed	0	0
1620743894.406875 IsDebuggerPresent		failed	0	0
1620743894.499875 IsDebuggerPresent		failed	0	0
1620743894.906875 IsDebuggerPresent		failed	0	0
1620743895.015875 IsDebuggerPresent		failed	0	0
1620743895.062875 IsDebuggerPresent		failed	0	0
1620743895.234875 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (18 个事件)

request	GET http://gahyqah.com/login.php
request	GET http://lysyfyj.com/login.php
request	GET http://pumyxiv.com/login.php
request	GET http://pufygug.com/login.php
request	GET http://galyqaz.com/login.php
request	GET http://puzywel.com/login.php
request	GET http://qetyfuv.com/login.php
request	GET http://lyvyxor.com/login.php
request	GET http://puvytuq.com/login.php
request	GET http://pumypog.com/login.php
request	GET http://puzylyp.com/login.php
request	GET http://qegyhig.com/login.php
request	GET http://qeqysag.com/login.php
request	GET http://volykyc.com/login.php
request	GET http://ganypih.com/login.php
request	GET http://pupybul.com/login.php
request	GET http://melanthios-ana.com/zcvisitor/b2441d66-b223-11eb-8d9d-1211e9200e73/72092e88-2c53-401c-b988-51ef43ce1034?campaignid=62a5ec10-a752-11eb-b4f9-0a918cbcbb97
request	GET http://www.pupybul.com/login.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 79 个事件)

Time & API	Arguments	Status
1620743890.468875 NtAllocateVirtualMemory	process_identifier: 428 region_size: 745472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02490000	success
1620743891.015375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02040000	success
1620743891.671375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01dc0000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01dc0000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775e9000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01dc0000	success
1620743891.671375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01dd0000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01dd0000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01dd0000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01dc0000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775e9000	success
1620743891.671375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01de0000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01de0000	success
1620743891.671375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01de0000	success
1620743891.687375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01df0000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01df0000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01df0000	success
1620743891.687375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e00000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e00000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e00000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01df0000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1620743891.687375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e10000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e10000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e10000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1620743891.687375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e20000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e20000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1620743891.687375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e20000	success
1620743891.702375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e30000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e30000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e30000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e20000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1620743891.702375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e60000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e60000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e60000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1620743891.702375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e40000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e40000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e40000	success
1620743891.702375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e50000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e50000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e50000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01e40000	success
1620743891.702375 NtProtectVirtualMemory	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1620743891.702375 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e70000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Windows\AppPatch\svchost.exe

Creates a suspicious process (1 个事件)

cmdline

C:\Windows\AppPatch\svchost.exe

Drops a binary and executes it (1 个事件)

file	C:\Windows\AppPatch\svchost.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5917.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743892.562875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x0000084c process_identifier: 3284	success	1	0
1620743895.171875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x00000470 process_identifier: 3592	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743895.749875 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 79 个事件)

Time & API	Arguments	Status
1620726219.923046 Process32NextW	process_name: 3ce7f45f3e96898bf0de39c7f3caa10d.exe snapshot_handle: 0x000000a4 process_identifier: 3004	failed
1620726219.938046 Process32NextW	process_name: 3ce7f45f3e96898bf0de39c7f3caa10d.exe snapshot_handle: 0x000000a4 process_identifier: 3004	failed
1620726219.954046 Process32NextW	process_name: 3ce7f45f3e96898bf0de39c7f3caa10d.exe snapshot_handle: 0x000000a4 process_identifier: 3004	failed
1620726219.970046 Process32NextW	process_name: 3ce7f45f3e96898bf0de39c7f3caa10d.exe snapshot_handle: 0x000000a4 process_identifier: 3004	failed
1620743890.202875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2116	failed
1620743890.202875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2116	failed
1620743890.218875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2116	failed
1620743890.234875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2116	failed
1620743892.577875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x0000084c process_identifier: 3284	failed
1620743892.577875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x0000084c process_identifier: 3284	failed
1620743892.609875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x0000084c process_identifier: 3284	failed
1620743892.749875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x00000864 process_identifier: 3284	failed
1620743892.812875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x00000864 process_identifier: 3284	failed
1620743892.843875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x00000864 process_identifier: 3284	failed
1620743892.890875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x00000864 process_identifier: 3284	failed
1620743892.952875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x0000086c process_identifier: 3284	failed
1620743892.984875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x0000086c process_identifier: 3284	failed
1620743892.999875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x0000086c process_identifier: 3284	failed
1620743893.015875 Process32NextW	process_name: wmpnscfg.exe snapshot_handle: 0x0000086c process_identifier: 3284	failed
1620743893.624875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000095c process_identifier: 2116	failed
1620743893.640875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000095c process_identifier: 2116	failed
1620743893.656875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000095c process_identifier: 2116	failed
1620743893.656875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000095c process_identifier: 2116	failed
1620743893.687875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2116	failed
1620743893.718875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2116	failed
1620743893.749875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2116	failed
1620743893.796875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2116	failed
1620743893.843875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009ac process_identifier: 2116	failed
1620743893.890875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009ac process_identifier: 2116	failed
1620743893.921875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009ac process_identifier: 2116	failed
1620743893.952875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009ac process_identifier: 2116	failed
1620743893.968875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004a4 process_identifier: 2116	failed
1620743893.999875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004a4 process_identifier: 2116	failed
1620743894.015875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004a4 process_identifier: 2116	failed
1620743894.031875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004a4 process_identifier: 2116	failed
1620743894.062875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009c8 process_identifier: 2116	failed
1620743894.093875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009c8 process_identifier: 2116	failed
1620743894.124875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009c4 process_identifier: 2116	failed
1620743894.140875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000778 process_identifier: 2116	failed
1620743894.140875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000778 process_identifier: 2116	failed
1620743894.156875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000778 process_identifier: 2116	failed
1620743894.218875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004b8 process_identifier: 2116	failed
1620743894.265875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004b8 process_identifier: 2116	failed
1620743894.281875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004b8 process_identifier: 2116	failed
1620743894.312875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004b8 process_identifier: 2116	failed
1620743894.359875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000004d0 process_identifier: 2116	failed
1620743894.421875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000500 process_identifier: 2116	failed
1620743894.437875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000500 process_identifier: 2116	failed
1620743894.452875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000500 process_identifier: 2116	failed
1620743894.484875 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000500 process_identifier: 2116	failed

Created a process named as a common system process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726221.235046 CreateProcessInternalW	thread_identifier: 368 thread_handle: 0x000000f4 process_identifier: 428 current_directory: filepath: C:\Windows\AppPatch\svchost.exe track: 1 command_line: filepath_r: C:\Windows\apppatch\svchost.exe stack_pivoted: 0 creation_flags: 0 () process_handle: 0x000000e8 inherit_handles: 0	success	1	0

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: 501b45da2f14fb66a5098cfaa2e35fcd0070956c

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (12 个事件)

Time & API	Arguments	Status
1620743890.437875 NtAllocateVirtualMemory	process_identifier: 428 region_size: 688128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000e8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x022e0000	success
1620743890.671875 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000184 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00450000	success
1620743891.015875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000184 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00560000	success
1620743891.062875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000184 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02460000	success
1620743891.093875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000184 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x024c0000	success
1620743891.140875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001ec allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02520000	success
1620743891.218875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02580000	success
1620743891.281875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x025e0000	success
1620743891.312875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02640000	success
1620743891.343875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x026a0000	success
1620743891.359875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02700000	success
1620743891.390875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02760000	success

Attempts to identify installed AV products by installation directory (1 个事件)

file	C:\Program Files (x86)\AVG\AVG9\dfncfg.dat

Checks for the presence of known windows from debuggers and forensic tools (20 个事件)

Time & API	Arguments	Status
1620726219.923046 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743890.171875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743892.546875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743892.702875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743892.921875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743893.624875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743893.671875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743893.812875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743893.952875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743894.046875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743894.124875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743894.140875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743894.327875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743894.406875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743894.406875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743894.515875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743894.921875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743895.015875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743895.062875 FindWindowA	class_name: OLLYDBG window_name:	failed
1620743895.249875 FindWindowA	class_name: OLLYDBG window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\SystemBiosVersion

Disables proxy possibly for traffic interception (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620743891.671875 RegSetValueExA	key_handle: 0x000002a0 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (13 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 428 created a remote thread in non-child process 2116
Process injection	Process 428 created a remote thread in non-child process 3004
1620743891.015875 CreateRemoteThread	thread_identifier: 0 process_identifier: 2116 function_address: 0x00451360 flags: 0 process_handle: 0x00000184 parameter: 0x00000000 stack_size: 0	success	480	0
1620743891.046875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x00561360 flags: 0 process_handle: 0x00000184 parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.093875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x02461360 flags: 0 process_handle: 0x00000184 parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.124875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x024c1360 flags: 0 process_handle: 0x00000184 parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.187875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x02521360 flags: 0 process_handle: 0x000001ec parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.281875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x02581360 flags: 0 process_handle: 0x000001f8 parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.296875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x025e1360 flags: 0 process_handle: 0x000001f8 parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.343875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x02641360 flags: 0 process_handle: 0x000001f8 parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.359875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x026a1360 flags: 0 process_handle: 0x000001f8 parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.390875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x02701360 flags: 0 process_handle: 0x000001f8 parameter: 0x00000000 stack_size: 0	failed	0	0
1620743891.452875 CreateRemoteThread	thread_identifier: 0 process_identifier: 3004 function_address: 0x02761360 flags: 0 process_handle: 0x000001f8 parameter: 0x00000000 stack_size: 0	failed	0	0

Manipulates memory of a non-child process indicative of process injection (15 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 428 manipulating memory of non-child process 428
Process injection	Process 428 manipulating memory of non-child process 2116
Process injection	Process 428 manipulating memory of non-child process 3004
1620743890.437875 NtAllocateVirtualMemory	process_identifier: 428 region_size: 688128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000e8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x022e0000	success	0	0
1620743890.671875 NtAllocateVirtualMemory	process_identifier: 2116 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000184 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00450000	success	0	0
1620743891.015875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000184 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00560000	success	0	0
1620743891.062875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000184 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02460000	success	0	0
1620743891.093875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000184 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x024c0000	success	0	0
1620743891.140875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001ec allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02520000	success	0	0
1620743891.218875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02580000	success	0	0
1620743891.281875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x025e0000	success	0	0
1620743891.312875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02640000	success	0	0
1620743891.343875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x026a0000	success	0	0
1620743891.359875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02700000	success	0	0
1620743891.390875 NtAllocateVirtualMemory	process_identifier: 3004 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02760000	success	0	0

Potential code injection by writing to the memory of another process (39 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 428 injected into non-child 428
Process injection	Process 428 injected into non-child 2116
Process injection	Process 428 injected into non-child 3004
1620743890.437875 WriteProcessMemory	process_identifier: 428 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P*@@.text `.data @À.reloc`@(@B process_handle: 0x000000e8 base_address: 0x022e0000	success	1	0
1620743890.437875 WriteProcessMemory	process_identifier: 428 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000000e8 base_address: 0x022e1000	success	1	0
1620743890.452875 WriteProcessMemory	process_identifier: 428 buffer: ×12ñ253s3ö35 process_handle: 0x000000e8 base_address: 0x02334000	success	1	0
1620743890.671875 WriteProcessMemory	process_identifier: 2116 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000184 base_address: 0x00450000	success	1	0
1620743890.671875 WriteProcessMemory	process_identifier: 2116 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000184 base_address: 0x00451000	success	1	0
1620743890.687875 WriteProcessMemory	process_identifier: 2116 buffer: ×12ñ253s3ö35 process_handle: 0x00000184 base_address: 0x004a4000	success	1	0
1620743891.015875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000184 base_address: 0x00560000	success	1	0
1620743891.015875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000184 base_address: 0x00561000	success	1	0
1620743891.031875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x00000184 base_address: 0x005b4000	success	1	0
1620743891.062875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000184 base_address: 0x02460000	success	1	0
1620743891.062875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000184 base_address: 0x02461000	success	1	0
1620743891.093875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x00000184 base_address: 0x024b4000	success	1	0
1620743891.093875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000184 base_address: 0x024c0000	success	1	0
1620743891.093875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000184 base_address: 0x024c1000	success	1	0
1620743891.109875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x00000184 base_address: 0x02514000	success	1	0
1620743891.140875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001ec base_address: 0x02520000	success	1	0
1620743891.140875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001ec base_address: 0x02521000	success	1	0
1620743891.156875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x000001ec base_address: 0x02574000	success	1	0
1620743891.218875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f8 base_address: 0x02580000	success	1	0
1620743891.218875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f8 base_address: 0x02581000	success	1	0
1620743891.234875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x000001f8 base_address: 0x025d4000	success	1	0
1620743891.281875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f8 base_address: 0x025e0000	success	1	0
1620743891.281875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f8 base_address: 0x025e1000	success	1	0
1620743891.296875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x000001f8 base_address: 0x02634000	success	1	0
1620743891.312875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f8 base_address: 0x02640000	success	1	0
1620743891.312875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f8 base_address: 0x02641000	success	1	0
1620743891.327875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x000001f8 base_address: 0x02694000	success	1	0
1620743891.343875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f8 base_address: 0x026a0000	success	1	0
1620743891.343875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f8 base_address: 0x026a1000	success	1	0
1620743891.359875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x000001f8 base_address: 0x026f4000	success	1	0
1620743891.359875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f8 base_address: 0x02700000	success	1	0
1620743891.359875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f8 base_address: 0x02701000	success	1	0
1620743891.390875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x000001f8 base_address: 0x02754000	success	1	0
1620743891.390875 WriteProcessMemory	process_identifier: 3004 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f8 base_address: 0x02760000	success	1	0
1620743891.390875 WriteProcessMemory	process_identifier: 3004 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f8 base_address: 0x02761000	success	1	0
1620743891.452875 WriteProcessMemory	process_identifier: 3004 buffer: ×12ñ253s3ö35 process_handle: 0x000001f8 base_address: 0x027b4000	success	1	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620743898.374875 RegSetValueExA	key_handle: 0x00000530 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620743898.374875 RegSetValueExA	key_handle: 0x00000530 value: pHÄTF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620743898.374875 RegSetValueExA	key_handle: 0x00000530 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620743898.374875 RegSetValueExW	key_handle: 0x00000530 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620743898.374875 RegSetValueExA	key_handle: 0x000009b0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620743898.374875 RegSetValueExA	key_handle: 0x000009b0 value: pHÄTF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620743898.374875 RegSetValueExA	key_handle: 0x000009b0 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620743898.406875 RegSetValueExW	key_handle: 0x0000052c value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620743899.327875 RegSetValueExA	key_handle: 0x00000734 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620743899.327875 RegSetValueExA	key_handle: 0x00000734 value: ðüWTF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620743899.327875 RegSetValueExA	key_handle: 0x00000734 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620743899.327875 RegSetValueExW	key_handle: 0x00000734 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620743899.327875 RegSetValueExA	key_handle: 0x00000738 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620743899.327875 RegSetValueExA	key_handle: 0x00000738 value: ðüWTF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620743899.327875 RegSetValueExA	key_handle: 0x00000738 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Network activity contains more than one unique useragent (2 个事件)

process	svchost.exe				useragent	Internal
process	svchost.exe				useragent	Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Expresses interest in specific running processes (7 个事件)

process: potential process injection target	services.exe
process	dwm.exe
process	searchindexer.exe
process: potential process injection target	svchost.exe
process	searchfilterhost.exe
process	3ce7f45f3e96898bf0de39c7f3caa10d.exe
process: potential cuckoo sandbox detection	pythonw.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

35.205.61.67:80

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.326830
FireEye	Generic.mg.3ce7f45f3e96898b
CAT-QuickHeal	Backdoor.Generic
ALYac	Gen:Variant.Zusy.326830
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
SUPERAntiSpyware	Trojan.Agent/Gen-Shiz
K7AntiVirus	Spyware ( 004cadd91 )
Alibaba	Backdoor:Win32/Simda.79a1a15c
K7GW	Spyware ( 004cadd91 )
Cybereason	malicious.f3e968
Arcabit	Trojan.Zusy.D4FCAE
Baidu	Win32.Trojan-Spy.Shiz.b
Cyren	W32/Shiz.R.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Avast	Win32:Shiz-JT [Trj]
ClamAV	Win.Trojan.Generic-6323528-0
Kaspersky	HEUR:Backdoor.Win32.Generic
BitDefender	Gen:Variant.Zusy.326830
NANO-Antivirus	Trojan.Win32.Ibank.esrglb
Paloalto	generic.ml
AegisLab	Trojan.Win32.Generic.m!e
Rising	Trojan.Shiz!1.A8F0 (CLASSIC)
Ad-Aware	Gen:Variant.Zusy.326830
TACHYON	Backdoor/W32.Shiz
Emsisoft	Gen:Variant.Zusy.326830 (B)
Comodo	TrojWare.Win32.Spy.Shiz.ZV@6ldvxf
F-Secure	Trojan.TR/Hijacker.Gen
DrWeb	Trojan.PWS.Ibank.323
Zillya	Trojan.Shiz.Win32.554
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.fh
MaxSecure	Trojan.Malware.300983.susgen
Sophos	ML/PE-A + Mal/Emogen-Y
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.Generic.axsv
Avira	TR/Hijacker.Gen
Antiy-AVL	Trojan/Win32.Unknown
Gridinsoft	Trojan.Win32.Agent.ko!s1
Microsoft	Backdoor:Win32/Simda.gen!B
ZoneAlarm	HEUR:Backdoor.Win32.Generic
GData	Win32.Trojan.Spyshiz.A
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Gen
Acronis	suspicious
McAfee	BackDoor-FDOB!3CE7F45F3E96
MAX	malware (ai score=81)
VBA32	BScope.TrojanPSW.Ibank
Malwarebytes	Backdoor.Shiz

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2011-08-02 17:26:00

Imports

Library MSVCRT.dll:

• 0x40412c wcsstr

• 0x404130 _snwprintf

• 0x404134 strstr

• 0x404138 _snprintf

• 0x40413c _except_handler3

• 0x404140 memset

• 0x404144 memcpy

Library SHELL32.dll:

• 0x404160

• 0x404164 SHGetFolderPathA

Library SHLWAPI.dll:

• 0x40416c PathAddBackslashA

• 0x404170 StrStrIA

• 0x404174 PathFileExistsA

• 0x404178 PathAppendA

Library ntdll.dll:

• 0x404190 RtlAdjustPrivilege

• 0x404194 RtlImageNtHeader

• 0x404198 RtlCreateUserThread

Library KERNEL32.dll:

• 0x404028 GetSystemTimeAsFileTime

• 0x40402c GetModuleFileNameW

• 0x404030 SetCurrentDirectoryA

• 0x404034 MoveFileA

• 0x404038 DeviceIoControl

• 0x40403c ExitProcess

• 0x404040 GlobalAddAtomA

• 0x404044 GlobalFindAtomA

• 0x404048 CopyFileA

• 0x40404c GetCurrentProcessId

• 0x404050 InterlockedDecrement

• 0x404054 CreateFileW

• 0x404058 GetVersionExA

• 0x40405c FreeLibrary

• 0x404060 IsDebuggerPresent

• 0x404064 GetTickCount

• 0x404068 GetVolumeInformationA

• 0x40406c GetEnvironmentVariableA

• 0x404070 GetModuleFileNameA

• 0x404074 CreateFileA

• 0x404078 SetFilePointer

• 0x40407c MoveFileExA

• 0x404080 lstrcpynA

• 0x404084 SetEndOfFile

• 0x404088 UnlockFile

• 0x40408c LockFile

• 0x404090 SetFileTime

• 0x404094 WriteFile

• 0x404098 IsBadWritePtr

• 0x40409c ReadFile

• 0x4040a0 GetFileSizeEx

• 0x4040a4 GetLastError

• 0x4040a8 SetFileAttributesA

• 0x4040ac GetTempFileNameA

• 0x4040b0 GetFileTime

• 0x4040b4 GetTempPathA

• 0x4040b8 DeleteFileA

• 0x4040bc GetProcAddress

• 0x4040c0 GetModuleHandleA

• 0x4040c4 HeapAlloc

• 0x4040c8 HeapFree

• 0x4040cc GetProcessHeap

• 0x4040d0 HeapValidate

• 0x4040d4 GetCurrentProcess

• 0x4040d8 Sleep

• 0x4040dc FlushInstructionCache

• 0x4040e0 VirtualAlloc

• 0x4040e4 VirtualQuery

• 0x4040e8 Process32First

• 0x4040ec VirtualFree

• 0x4040f0 CreateRemoteThread

• 0x4040f4 OpenProcess

• 0x4040f8 CreateProcessA

• 0x4040fc Module32First

• 0x404100 GetHandleInformation

• 0x404104 VirtualAllocEx

• 0x404108 LoadLibraryA

• 0x40410c Process32Next

• 0x404110 CreateToolhelp32Snapshot

• 0x404114 Module32Next

• 0x404118 CloseHandle

• 0x40411c WriteProcessMemory

• 0x404120 SwitchToThread

• 0x404124 GetSystemWindowsDirectoryA

Library USER32.dll:

• 0x404180 FindWindowA

• 0x404184 CharUpperA

• 0x404188 PostMessageA

Library ADVAPI32.dll:

• 0x404000 RegCreateKeyExA

• 0x404004 RegSetValueExA

• 0x404008 RegQueryValueExA

• 0x40400c RegOpenKeyExA

• 0x404010 RegFlushKey

• 0x404014 RegCloseKey

• 0x404018 OpenProcessToken

• 0x40401c GetTokenInformation

• 0x404020 GetUserNameA

Library ole32.dll:

• 0x4041a0 CoUninitialize

• 0x4041a4 CoCreateInstance

• 0x4041a8 CoInitializeSecurity

• 0x4041ac CoInitializeEx

Library OLEAUT32.dll:

• 0x40414c SysFreeString

• 0x404150 SysAllocString

• 0x404154 VariantClear

• 0x404158 VariantInit

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
lyvyxor.com	A 208.100.26.245
qekyqop.com
purydyv.com
qetyvep.com
vojyqem.com
galykes.com
lygymoj.com
vocyzit.com
lymysan.com
vowycac.com
puzywel.com	A 54.227.98.220	54.227.98.220
volykyc.com	A 35.225.160.245	35.225.160.245
pufygug.com	A 54.227.98.220	54.227.98.220
lymyxid.com
gaqycos.com
puzylyp.com	A 54.227.98.220	54.227.98.220
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
volyqat.com
gatyfus.com
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49199	18.235.67.128	80
192.168.56.101	49187	208.100.26.245 lyvyxor.com	80
192.168.56.101	49179	23.253.46.64 gahyqah.com	80
192.168.56.101	49197	23.253.46.64 gahyqah.com	80
192.168.56.101	49196	23.80.253.233	80
192.168.56.101	49200	23.80.253.233	80
192.168.56.101	49194	35.225.160.245 volykyc.com	80
192.168.56.101	49195	35.225.160.245 volykyc.com	80
192.168.56.101	49181	54.227.98.220 puzylyp.com	80
192.168.56.101	49182	54.227.98.220 puzylyp.com	80
192.168.56.101	49183	54.227.98.220 puzylyp.com	80
192.168.56.101	49185	54.227.98.220 puzylyp.com	80
192.168.56.101	49188	54.227.98.220 puzylyp.com	80
192.168.56.101	49189	54.227.98.220 puzylyp.com	80
192.168.56.101	49190	54.227.98.220 puzylyp.com	80
192.168.56.101	49191	54.227.98.220 puzylyp.com	80
192.168.56.101	49192	54.227.98.220 puzylyp.com	80
192.168.56.101	49212	54.227.98.220 puzylyp.com	80
192.168.56.101	49213	54.227.98.220 puzylyp.com	80
192.168.56.101	49214	54.227.98.220 puzylyp.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49710	114.114.114.114	53
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50047	114.114.114.114	53
192.168.56.101	50320	114.114.114.114	53
192.168.56.101	50433	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	50849	114.114.114.114	53
192.168.56.101	51137	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51660	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	52124	114.114.114.114	53
192.168.56.101	52812	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	53500	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53

HTTP & HTTPS Requests

URI	Data
http://lyvyxor.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://pupybul.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupybul.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://volykyc.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: volykyc.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://lysyfyj.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyfyj.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://qegyhig.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://pumypog.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pumypog.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://www.pupybul.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: www.pupybul.com Connection: Keep-Alive \x9e\x84\xb5\xe8q(
http://puzylyp.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://ganypih.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ganypih.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://melanthios-ana.com/zcvisitor/b2441d66-b223-11eb-8d9d-1211e9200e73/72092e88-2c53-401c-b988-51ef43ce1034?campaignid=62a5ec10-a752-11eb-b4f9-0a918cbcbb97	GET /zcvisitor/b2441d66-b223-11eb-8d9d-1211e9200e73/72092e88-2c53-401c-b988-51ef43ce1034?campaignid=62a5ec10-a752-11eb-b4f9-0a918cbcbb97 HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: melanthios-ana.com Connection: Keep-Alive \x9e\x84\xb5\xe8q(

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.