9.8
极危
该样本未表现出任何异常!
重新分析
更多

e325f5b718e1696f24422d2c97c029bffa1b1030a38720a2adb393b683cf8466

3df42511034cb9c44da3b259909e82f0.exe

分析耗时

83s

最近分析

文件大小

796.5KB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619384498.780875
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (50 out of 8194 个事件)
Time & API Arguments Status Return Repeated
1619384497.749875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00700000
success 0 0
1619384541.686875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10420000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10430000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10440000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10450000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10460000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10470000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10480000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10490000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104a0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104b0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104c0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104d0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104e0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104f0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10500000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10510000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10520000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10530000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10540000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10550000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10560000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10570000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10580000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10590000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105a0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105b0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105c0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105d0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105e0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105f0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10600000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10610000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10620000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10630000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10640000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10650000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10660000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10670000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10680000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10690000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106a0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106b0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106c0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106d0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106e0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106f0000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10700000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 340
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10710000
success 0 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619384542.702875
NtProtectVirtualMemory
process_identifier: 340
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 77824
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x03c31000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.888647343995527 section {'size_of_data': '0x0009ca00', 'virtual_address': '0x00129000', 'entropy': 7.888647343995527, 'name': 'UPX1', 'virtual_size': '0x0009d000'} description A section with a high entropy has been found
entropy 0.7875549968573224 description Overall entropy of this PE file is high
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 8aba2a7b8afea13a74545b6764f81df18d070fba
Allocates execute permission to another process indicative of possible code injection (50 out of 8693 个事件)
Time & API Arguments Status Return Repeated
1619384541.421875
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001b0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10420000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10430000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10440000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10450000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10460000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10470000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10480000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10490000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104a0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104b0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104c0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104d0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104e0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104f0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10500000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10510000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10520000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10530000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10540000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10550000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10560000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10570000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10580000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10590000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105a0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105b0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105c0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105d0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105e0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105f0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10600000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10610000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10620000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10630000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10640000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10650000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10660000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10670000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10680000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10690000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106a0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106b0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106c0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106d0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106e0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106f0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10700000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10710000
failed 3221225480 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla reg_value C:\Users\Administrator.Oskar-PC\AppData\Local\Mozilla\MiniCalc.exe
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 129 个事件)
Process injection Process 340 created a remote thread in non-child process 0
Time & API Arguments Status Return Repeated
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.655875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1619384542.671875
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
Manipulates memory of a non-child process indicative of process injection (50 out of 8693 个事件)
Process injection Process 340 manipulating memory of non-child process 0
Time & API Arguments Status Return Repeated
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10420000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10430000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10440000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10450000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10460000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10470000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10480000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10490000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104a0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104b0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104c0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104d0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104e0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104f0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10500000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10510000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10520000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10530000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10540000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10550000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10560000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10570000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10580000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10590000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105a0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105b0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105c0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105d0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105e0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105f0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10600000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10610000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10620000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10630000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10640000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10650000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10660000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10670000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10680000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10690000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106a0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106b0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106c0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106d0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106e0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106f0000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10700000
failed 3221225480 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10710000
failed 3221225480 0
Potential code injection by writing to the memory of another process (50 out of 257 个事件)
Process injection Process 340 injected into non-child 0
Time & API Arguments Status Return Repeated
1619384542.640875
WriteProcessMemory
process_identifier: 0
buffer: ×I5vÿ5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.640875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]‹ÀU‹ìƒÄðSV‰Uü‹ð‹Eüè7Dùÿ3ÀUhGdÿ0d‰ 3ÛhGh GèûeùÿPèýeùÿ‰Eøh,Gh GèãeùÿPèåeùÿ‰Eð‹EüèúCùÿ‹Ð‹Æèñýÿÿ‰Eôj jMðº(G‹ÆèÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]ÂSVWUƒÄè‹é‹ú‹Ø3öh8GhLGèüdùÿPèþdùÿ‰D$ hXGhLGèãdùÿPèådùÿ‰D$hhGhLGèÊdùÿPèÌdùÿ‰D$‹Õ‹Ã
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1619384542.655875
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619397750.50775
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x00405329
module_address: 0x00000000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 131295 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 340 called NtSetContextThread to modify thread in remote process 1124
Time & API Arguments Status Return Repeated
1619384541.421875
NtSetContextThread
thread_handle: 0x000001c0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4273684
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1124
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 340 resumed a thread in remote process 1124
Time & API Arguments Status Return Repeated
1619384541.655875
NtResumeThread
thread_handle: 0x000001c0
suspend_count: 1
process_identifier: 1124
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
Executed a process and injected code into it, probably while unpacking (50 out of 17398 个事件)
Time & API Arguments Status Return Repeated
1619384499.233875
NtResumeThread
thread_handle: 0x00000184
suspend_count: 1
process_identifier: 340
success 0 0
1619384541.421875
CreateProcessInternalW
thread_identifier: 3036
thread_handle: 0x000001c0
process_identifier: 1124
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df42511034cb9c44da3b259909e82f0.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df42511034cb9c44da3b259909e82f0.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3df42511034cb9c44da3b259909e82f0.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000001b0
inherit_handles: 0
success 1 0
1619384541.421875
NtGetContextThread
thread_handle: 0x000001c0
success 0 0
1619384541.421875
NtUnmapViewOfSection
process_identifier: 1124
region_size: 4096
process_handle: 0x000001b0
base_address: 0x00400000
success 0 0
1619384541.421875
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000001b0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619384541.421875
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x000001b0
base_address: 0x00400000
success 1 0
1619384541.421875
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x000001b0
base_address: 0x00401000
success 1 0
1619384541.421875
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x000001b0
base_address: 0x00414000
success 1 0
1619384541.421875
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x000001b0
base_address: 0x0041a000
success 1 0
1619384541.421875
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x000001b0
base_address: 0x0041c000
success 1 0
1619384541.421875
WriteProcessMemory
process_identifier: 1124
buffer:
process_handle: 0x000001b0
base_address: 0x0041d000
success 1 0
1619384541.421875
NtSetContextThread
thread_handle: 0x000001c0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4273684
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 1124
success 0 0
1619384541.655875
NtResumeThread
thread_handle: 0x000001c0
suspend_count: 1
process_identifier: 1124
success 0 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10420000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10430000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10440000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10450000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10460000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10470000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10480000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10490000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104a0000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104b0000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104c0000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104d0000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104e0000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104f0000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10500000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10510000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1619384541.718875
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10520000
failed 3221225480 0
1619384541.718875
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:
0x5f00c4 LoadLibraryA
0x5f00c8 GetProcAddress
0x5f00cc VirtualProtect
0x5f00d0 ExitProcess
Library advapi32.dll:
0x5f00d8 RegCloseKey
Library comctl32.dll:
0x5f00e0 ImageList_Add
Library comdlg32.dll:
0x5f00e8 GetSaveFileNameA
Library gdi32.dll:
0x5f00f0 SaveDC
Library mpr.dll:
Library msimg32.dll:
0x5f0100 GradientFill
Library ole32.dll:
0x5f0108 OleDraw
Library oleaut32.dll:
0x5f0110 VariantCopy
Library shell32.dll:
0x5f0118 ShellExecuteA
Library SHFolder.dll:
0x5f0120 SHGetFolderPathA
Library URLMON.DLL:
Library user32.dll:
0x5f0130 GetDC
Library version.dll:
0x5f0138 VerQueryValueA
Library wininet.dll:
0x5f0140 FindCloseUrlCache

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.