SmartHawk

14.0

0-day

61 个模型检测该样本为恶意！

重新分析

下载样本

68e7c82cc5535b87b0e1310f9a054432944b6efa0471e2b03101554bdf7decc2

5d25afb224b5499cb35fe152b39e6e1c.exe

分析耗时

74s

最近分析

文件大小

355.5KB

静态报毒动态报毒 100% A + MAL AI SCORE=85 AIDETECTVM ATTRIBUTE AXSV BSCOPE CARBERP CLASSIC CONFIDENCE ELDORADO EMOGEN ESRGLB FDOB GENASA HIGH CONFIDENCE HIGHCONFIDENCE HIJACKER IBANK MALICIOUS PE MALWARE1 SCORE SHIZ SIMDA SPYSHIZ STATIC AI SUSGEN TROJANPSW UNSAFE WQW@AABPKNM XDLQGVFONP0 ZEXAF ZUSY ZV@6LDVXF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	BackDoor-FDOB!5D25AFB224B5	20201211	6.0.6.653
Alibaba	Backdoor:Win32/Simda.f05cabd9	20190527	0.3.0.5
Baidu	Win32.Trojan-Spy.Shiz.b	20190318	1.0.0.2
Avast	Win32:Shiz-JT [Trj]	20201210	21.1.5827.0
Tencent	Backdoor.Win32.Generic.a	20201211	1.0.0.1
Kingsoft		20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619517558.13225 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619517558.97625 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619517558.99225 GetComputerNameA	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (18 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513301.471924 IsDebuggerPresent		failed	0	0
1619517557.58625 IsDebuggerPresent		failed	0	0
1619517559.50725 IsDebuggerPresent		failed	0	0
1619517559.69525 IsDebuggerPresent		failed	0	0
1619517560.27325 IsDebuggerPresent		failed	0	0
1619517560.35125 IsDebuggerPresent		failed	0	0
1619517560.49225 IsDebuggerPresent		failed	0	0
1619517560.50725 IsDebuggerPresent		failed	0	0
1619517560.57025 IsDebuggerPresent		failed	0	0
1619517560.72625 IsDebuggerPresent		failed	0	0
1619517560.86725 IsDebuggerPresent		failed	0	0
1619517560.89825 IsDebuggerPresent		failed	0	0
1619517560.94525 IsDebuggerPresent		failed	0	0
1619517560.97625 IsDebuggerPresent		failed	0	0
1619517561.02325 IsDebuggerPresent		failed	0	0
1619517561.05425 IsDebuggerPresent		failed	0	0
1619517561.10125 IsDebuggerPresent		failed	0	0
1619517561.16425 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (18 个事件)

request	GET http://qetyfuv.com/login.php
request	GET http://puvytuq.com/login.php
request	GET http://lyvyxor.com/login.php
request	GET http://lysyfyj.com/login.php
request	GET http://gahyqah.com/login.php
request	GET http://puzylyp.com/login.php
request	GET http://pufygug.com/login.php
request	GET http://pumyxiv.com/login.php
request	GET http://qegyhig.com/login.php
request	GET http://pupybul.com/login.php
request	GET http://puzywel.com/login.php
request	GET http://ganypih.com/login.php
request	GET http://volykyc.com/login.php
request	GET http://galyqaz.com/login.php
request	GET http://pumypog.com/login.php
request	GET http://qeqysag.com/login.php
request	GET http://www.pupybul.com/login.php
request	GET http://aristo-hag.com/zcvisitor/533b59a2-a6fc-11eb-8306-1201ee207dc5/72092e88-2c53-401c-b988-51ef43ce1034?campaignid=534f7df3-a6fc-11eb-8306-1201ee207dc5

Allocates read-write-execute memory (usually to unpack itself) (50 out of 79 个事件)

Time & API	Arguments	Status
1619517557.96125 NtAllocateVirtualMemory	process_identifier: 2544 region_size: 745472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02450000	success
1619517558.46125 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00610000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f30000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f30000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775e9000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f30000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f40000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f40000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f40000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f30000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775e9000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f50000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f50000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f50000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01fb0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fb0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fb0000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01fc0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fc0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fc0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fb0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01fd0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fd0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fd0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01fe0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fe0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fe0000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ff0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01ff0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01ff0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01fe0000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02000000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02000000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02000000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02010000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02010000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02010000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02020000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02020000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02020000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02010000	success
1619517558.99225 NtProtectVirtualMemory	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619517558.99225 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02030000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Windows\AppPatch\svchost.exe

Creates a suspicious process (1 个事件)

cmdline

C:\Windows\AppPatch\svchost.exe

Drops a binary and executes it (1 个事件)

file	C:\Windows\AppPatch\svchost.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5781.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 个事件)

Time & API	Arguments	Status	Return
1619513301.503924 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x000000a4 process_identifier: 1912	success	1
1619513301.503924 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x000000a4 process_identifier: 284	success	1
1619513301.503924 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x000000a4 process_identifier: 880	success	1
1619517557.60125 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000a4 process_identifier: 2544	success	1
1619517557.60125 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2056	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619517559.89825 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 71 个事件)

Time & API	Arguments	Status
1619513301.503924 Process32NextW	process_name: 5d25afb224b5499cb35fe152b39e6e1c.exe snapshot_handle: 0x000000a4 process_identifier: 2852	failed
1619513301.518924 Process32NextW	process_name: 5d25afb224b5499cb35fe152b39e6e1c.exe snapshot_handle: 0x000000a4 process_identifier: 2852	failed
1619513301.518924 Process32NextW	process_name: 5d25afb224b5499cb35fe152b39e6e1c.exe snapshot_handle: 0x000000a4 process_identifier: 2852	failed
1619513301.534924 Process32NextW	process_name: 5d25afb224b5499cb35fe152b39e6e1c.exe snapshot_handle: 0x000000a4 process_identifier: 2852	failed
1619517557.60125 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2056	failed
1619517557.61725 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2056	failed
1619517557.61725 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2056	failed
1619517557.61725 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2056	failed
1619517559.52325 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000844 process_identifier: 2056	failed
1619517559.53925 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000844 process_identifier: 2056	failed
1619517559.55425 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000844 process_identifier: 2056	failed
1619517559.69525 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008c4 process_identifier: 2056	failed
1619517559.71125 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008c4 process_identifier: 2056	failed
1619517559.72625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008c4 process_identifier: 2056	failed
1619517559.72625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008c4 process_identifier: 2056	failed
1619517560.28925 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000900 process_identifier: 2056	failed
1619517560.30425 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000900 process_identifier: 2056	failed
1619517560.32025 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000900 process_identifier: 2056	failed
1619517560.33625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000900 process_identifier: 2056	failed
1619517560.36725 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2056	failed
1619517560.38225 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2056	failed
1619517560.38225 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2056	failed
1619517560.39825 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2056	failed
1619517560.52325 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000604 process_identifier: 2056	failed
1619517560.55425 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000634 process_identifier: 2056	failed
1619517560.57025 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000007ec process_identifier: 2056	failed
1619517560.61725 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000604 process_identifier: 2056	failed
1619517560.63225 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000604 process_identifier: 2056	failed
1619517560.64825 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000007ec process_identifier: 2056	failed
1619517560.67925 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000007ec process_identifier: 2056	failed
1619517560.69525 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000604 process_identifier: 2056	failed
1619517560.74225 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000614 process_identifier: 2056	failed
1619517560.77325 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000614 process_identifier: 2056	failed
1619517560.77325 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000614 process_identifier: 2056	failed
1619517560.78925 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000614 process_identifier: 2056	failed
1619517560.80425 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000614 process_identifier: 2056	failed
1619517560.82025 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000614 process_identifier: 2056	failed
1619517560.83625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000080c process_identifier: 2056	failed
1619517560.85125 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000080c process_identifier: 2056	failed
1619517560.88225 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000634 process_identifier: 2056	failed
1619517560.89825 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000634 process_identifier: 2056	failed
1619517560.91425 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000005f0 process_identifier: 2056	failed
1619517560.91425 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000804 process_identifier: 2056	failed
1619517560.94525 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000005f0 process_identifier: 2056	failed
1619517560.96125 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000005f0 process_identifier: 2056	failed
1619517560.96125 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000804 process_identifier: 2056	failed
1619517560.99225 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000005f0 process_identifier: 2056	failed
1619517561.00725 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000005f0 process_identifier: 2056	failed
1619517561.07025 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000005e4 process_identifier: 2056	failed
1619517561.08625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000063c process_identifier: 2056	failed

Created a process named as a common system process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513302.940924 CreateProcessInternalW	thread_identifier: 2236 thread_handle: 0x000000f4 process_identifier: 2544 current_directory: filepath: C:\Windows\AppPatch\svchost.exe track: 1 command_line: filepath_r: C:\Windows\apppatch\svchost.exe stack_pivoted: 0 creation_flags: 0 () process_handle: 0x000000e8 inherit_handles: 0	success	1	0

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: 501b45da2f14fb66a5098cfaa2e35fcd0070956c

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (12 个事件)

Time & API	Arguments	Status
1619517557.91425 NtAllocateVirtualMemory	process_identifier: 2544 region_size: 688128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000e8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x022a0000	success
1619517558.17925 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success
1619517558.44525 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007d0000	success
1619517558.47625 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02480000	success
1619517558.52325 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x024e0000	success
1619517558.55425 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02540000	success
1619517558.61725 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x025a0000	success
1619517558.66425 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000200 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02600000	success
1619517558.67925 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000200 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02660000	success
1619517558.72625 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000022c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x026c0000	success
1619517558.77325 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000022c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02720000	success
1619517558.88225 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000258 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02780000	success

Attempts to identify installed AV products by installation directory (1 个事件)

file	C:\Program Files (x86)\AVG\AVG9\dfncfg.dat

Checks for the presence of known windows from debuggers and forensic tools (18 个事件)

Time & API	Arguments	Status
1619513301.471924 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517557.58625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517559.50725 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517559.69525 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.27325 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.35125 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.49225 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.50725 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.67925 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.77325 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.86725 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.89825 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.94525 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517560.97625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517561.02325 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517561.05425 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517561.10125 FindWindowA	class_name: OLLYDBG window_name:	failed
1619517561.16425 FindWindowA	class_name: OLLYDBG window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\SystemBiosVersion

Disables proxy possibly for traffic interception (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619517558.94525 RegSetValueExA	key_handle: 0x00000294 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (13 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 created a remote thread in non-child process 2056
Process injection	Process 2544 created a remote thread in non-child process 2852
1619517558.44525 CreateRemoteThread	thread_identifier: 0 process_identifier: 2056 function_address: 0x00321360 flags: 0 process_handle: 0x00000180 parameter: 0x00000000 stack_size: 0	success	476	0
1619517558.47625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x007d1360 flags: 0 process_handle: 0x00000180 parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.52325 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x02481360 flags: 0 process_handle: 0x00000180 parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.53925 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x024e1360 flags: 0 process_handle: 0x00000180 parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.60125 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x02541360 flags: 0 process_handle: 0x000001f4 parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.64825 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x025a1360 flags: 0 process_handle: 0x00000180 parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.67925 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x02601360 flags: 0 process_handle: 0x00000200 parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.71125 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x02661360 flags: 0 process_handle: 0x00000200 parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.75725 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x026c1360 flags: 0 process_handle: 0x0000022c parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.83625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x02721360 flags: 0 process_handle: 0x0000022c parameter: 0x00000000 stack_size: 0	failed	0	0
1619517558.89825 CreateRemoteThread	thread_identifier: 0 process_identifier: 2852 function_address: 0x02781360 flags: 0 process_handle: 0x00000258 parameter: 0x00000000 stack_size: 0	failed	0	0

Manipulates memory of a non-child process indicative of process injection (15 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 manipulating memory of non-child process 2544
Process injection	Process 2544 manipulating memory of non-child process 2056
Process injection	Process 2544 manipulating memory of non-child process 2852
1619517557.91425 NtAllocateVirtualMemory	process_identifier: 2544 region_size: 688128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000e8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x022a0000	success	0	0
1619517558.17925 NtAllocateVirtualMemory	process_identifier: 2056 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success	0	0
1619517558.44525 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007d0000	success	0	0
1619517558.47625 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02480000	success	0	0
1619517558.52325 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x024e0000	success	0	0
1619517558.55425 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02540000	success	0	0
1619517558.61725 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000180 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x025a0000	success	0	0
1619517558.66425 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000200 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02600000	success	0	0
1619517558.67925 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000200 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02660000	success	0	0
1619517558.72625 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000022c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x026c0000	success	0	0
1619517558.77325 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000022c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02720000	success	0	0
1619517558.88225 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000258 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02780000	success	0	0

Potential code injection by writing to the memory of another process (39 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 injected into non-child 2544
Process injection	Process 2544 injected into non-child 2056
Process injection	Process 2544 injected into non-child 2852
1619517557.91425 WriteProcessMemory	process_identifier: 2544 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P*@@.text `.data @À.reloc`@(@B process_handle: 0x000000e8 base_address: 0x022a0000	success	1	0
1619517557.91425 WriteProcessMemory	process_identifier: 2544 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000000e8 base_address: 0x022a1000	success	1	0
1619517557.94525 WriteProcessMemory	process_identifier: 2544 buffer: ×12ñ253s3ö35 process_handle: 0x000000e8 base_address: 0x022f4000	success	1	0
1619517558.17925 WriteProcessMemory	process_identifier: 2056 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000180 base_address: 0x00320000	success	1	0
1619517558.17925 WriteProcessMemory	process_identifier: 2056 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000180 base_address: 0x00321000	success	1	0
1619517558.17925 WriteProcessMemory	process_identifier: 2056 buffer: ×12ñ253s3ö35 process_handle: 0x00000180 base_address: 0x00374000	success	1	0
1619517558.44525 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000180 base_address: 0x007d0000	success	1	0
1619517558.44525 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000180 base_address: 0x007d1000	success	1	0
1619517558.47625 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x00000180 base_address: 0x00824000	success	1	0
1619517558.47625 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000180 base_address: 0x02480000	success	1	0
1619517558.47625 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000180 base_address: 0x02481000	success	1	0
1619517558.50725 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x00000180 base_address: 0x024d4000	success	1	0
1619517558.52325 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000180 base_address: 0x024e0000	success	1	0
1619517558.52325 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000180 base_address: 0x024e1000	success	1	0
1619517558.53925 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x00000180 base_address: 0x02534000	success	1	0
1619517558.55425 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f4 base_address: 0x02540000	success	1	0
1619517558.57025 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f4 base_address: 0x02541000	success	1	0
1619517558.58625 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x000001f4 base_address: 0x02594000	success	1	0
1619517558.61725 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000180 base_address: 0x025a0000	success	1	0
1619517558.61725 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000180 base_address: 0x025a1000	success	1	0
1619517558.64825 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x00000180 base_address: 0x025f4000	success	1	0
1619517558.66425 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000200 base_address: 0x02600000	success	1	0
1619517558.66425 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000200 base_address: 0x02601000	success	1	0
1619517558.67925 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x00000200 base_address: 0x02654000	success	1	0
1619517558.67925 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000200 base_address: 0x02660000	success	1	0
1619517558.67925 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000200 base_address: 0x02661000	success	1	0
1619517558.71125 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x00000200 base_address: 0x026b4000	success	1	0
1619517558.72625 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x0000022c base_address: 0x026c0000	success	1	0
1619517558.72625 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x0000022c base_address: 0x026c1000	success	1	0
1619517558.75725 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x0000022c base_address: 0x02714000	success	1	0
1619517558.77325 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x0000022c base_address: 0x02720000	success	1	0
1619517558.77325 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x0000022c base_address: 0x02721000	success	1	0
1619517558.82025 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x0000022c base_address: 0x02774000	success	1	0
1619517558.88225 WriteProcessMemory	process_identifier: 2852 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x00000258 base_address: 0x02780000	success	1	0
1619517558.88225 WriteProcessMemory	process_identifier: 2852 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x00000258 base_address: 0x02781000	success	1	0
1619517558.89825 WriteProcessMemory	process_identifier: 2852 buffer: ×12ñ253s3ö35 process_handle: 0x00000258 base_address: 0x027d4000	success	1	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1619517562.47625 RegSetValueExA	key_handle: 0x000008cc value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619517562.47625 RegSetValueExA	key_handle: 0x000008cc value: Ðx';× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619517562.47625 RegSetValueExA	key_handle: 0x000008cc value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619517562.47625 RegSetValueExW	key_handle: 0x000008cc value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619517562.47625 RegSetValueExA	key_handle: 0x000008e8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619517562.47625 RegSetValueExA	key_handle: 0x000008e8 value: Ðx';× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619517562.47625 RegSetValueExA	key_handle: 0x000008e8 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619517562.53925 RegSetValueExW	key_handle: 0x000008c8 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1619517563.07025 RegSetValueExA	key_handle: 0x000005c8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619517563.07025 RegSetValueExA	key_handle: 0x000005c8 value: àev';× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619517563.07025 RegSetValueExA	key_handle: 0x000005c8 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619517563.07025 RegSetValueExW	key_handle: 0x000005c8 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619517563.07025 RegSetValueExA	key_handle: 0x000005cc value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619517563.07025 RegSetValueExA	key_handle: 0x000005cc value: àev';× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619517563.07025 RegSetValueExA	key_handle: 0x000005cc value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Network activity contains more than one unique useragent (2 个事件)

process	svchost.exe				useragent	Internal
process	svchost.exe				useragent	Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Expresses interest in specific running processes (6 个事件)

process: potential process injection target	services.exe
process	searchindexer.exe
process: potential process injection target	svchost.exe
process	searchfilterhost.exe
process	taskhost.exe
process	vboxservice.exe

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.326830
FireEye	Generic.mg.5d25afb224b5499c
CAT-QuickHeal	Backdoor.Generic
Qihoo-360	Win32/Trojan.Carberp.B
McAfee	BackDoor-FDOB!5D25AFB224B5
Cylance	Unsafe
Zillya	Trojan.Shiz.Win32.554
SUPERAntiSpyware	Trojan.Agent/Gen-Shiz
K7AntiVirus	Spyware ( 004cadd91 )
Alibaba	Backdoor:Win32/Simda.f05cabd9
K7GW	Spyware ( 004cadd91 )
Cybereason	malicious.224b54
Arcabit	Trojan.Zusy.D4FCAE
BitDefenderTheta	Gen:NN.ZexaF.34670.wqW@aaBPKNm
Cyren	W32/Shiz.R.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Baidu	Win32.Trojan-Spy.Shiz.b
APEX	Malicious
Avast	Win32:Shiz-JT [Trj]
ClamAV	Win.Trojan.Generic-6323528-0
Kaspersky	HEUR:Backdoor.Win32.Generic
BitDefender	Gen:Variant.Zusy.326830
NANO-Antivirus	Trojan.Win32.Ibank.esrglb
Paloalto	generic.ml
Tencent	Backdoor.Win32.Generic.a
Ad-Aware	Gen:Variant.Zusy.326830
TACHYON	Backdoor/W32.Shiz
Emsisoft	Gen:Variant.Zusy.326830 (B)
Comodo	TrojWare.Win32.Spy.Shiz.ZV@6ldvxf
F-Secure	Trojan.TR/Hijacker.Gen
DrWeb	Trojan.PWS.Ibank.323
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.fh
Sophos	ML/PE-A + Mal/Emogen-Y
Ikarus	Backdoor.Win32.Simda
Jiangmin	Backdoor.Generic.axsv
Avira	TR/Hijacker.Gen
Antiy-AVL	Trojan/Win32.Unknown
Gridinsoft	Trojan.Win32.Agent.ko!s1
Microsoft	Backdoor:Win32/Simda.gen!B
AegisLab	Trojan.Win32.Generic.m!e
ZoneAlarm	HEUR:Backdoor.Win32.Generic
GData	Win32.Trojan.Spyshiz.A
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Gen
Acronis	suspicious
VBA32	BScope.TrojanPSW.Ibank
ALYac	Gen:Variant.Zusy.326830

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2011-08-02 17:26:00

Imports

Library MSVCRT.dll:

• 0x40412c wcsstr

• 0x404130 _snwprintf

• 0x404134 strstr

• 0x404138 _snprintf

• 0x40413c _except_handler3

• 0x404140 memset

• 0x404144 memcpy

Library SHELL32.dll:

• 0x404160

• 0x404164 SHGetFolderPathA

Library SHLWAPI.dll:

• 0x40416c PathAddBackslashA

• 0x404170 StrStrIA

• 0x404174 PathFileExistsA

• 0x404178 PathAppendA

Library ntdll.dll:

• 0x404190 RtlAdjustPrivilege

• 0x404194 RtlImageNtHeader

• 0x404198 RtlCreateUserThread

Library KERNEL32.dll:

• 0x404028 GetSystemTimeAsFileTime

• 0x40402c GetModuleFileNameW

• 0x404030 SetCurrentDirectoryA

• 0x404034 MoveFileA

• 0x404038 DeviceIoControl

• 0x40403c ExitProcess

• 0x404040 GlobalAddAtomA

• 0x404044 GlobalFindAtomA

• 0x404048 CopyFileA

• 0x40404c GetCurrentProcessId

• 0x404050 InterlockedDecrement

• 0x404054 CreateFileW

• 0x404058 GetVersionExA

• 0x40405c FreeLibrary

• 0x404060 IsDebuggerPresent

• 0x404064 GetTickCount

• 0x404068 GetVolumeInformationA

• 0x40406c GetEnvironmentVariableA

• 0x404070 GetModuleFileNameA

• 0x404074 CreateFileA

• 0x404078 SetFilePointer

• 0x40407c MoveFileExA

• 0x404080 lstrcpynA

• 0x404084 SetEndOfFile

• 0x404088 UnlockFile

• 0x40408c LockFile

• 0x404090 SetFileTime

• 0x404094 WriteFile

• 0x404098 IsBadWritePtr

• 0x40409c ReadFile

• 0x4040a0 GetFileSizeEx

• 0x4040a4 GetLastError

• 0x4040a8 SetFileAttributesA

• 0x4040ac GetTempFileNameA

• 0x4040b0 GetFileTime

• 0x4040b4 GetTempPathA

• 0x4040b8 DeleteFileA

• 0x4040bc GetProcAddress

• 0x4040c0 GetModuleHandleA

• 0x4040c4 HeapAlloc

• 0x4040c8 HeapFree

• 0x4040cc GetProcessHeap

• 0x4040d0 HeapValidate

• 0x4040d4 GetCurrentProcess

• 0x4040d8 Sleep

• 0x4040dc FlushInstructionCache

• 0x4040e0 VirtualAlloc

• 0x4040e4 VirtualQuery

• 0x4040e8 Process32First

• 0x4040ec VirtualFree

• 0x4040f0 CreateRemoteThread

• 0x4040f4 OpenProcess

• 0x4040f8 CreateProcessA

• 0x4040fc Module32First

• 0x404100 GetHandleInformation

• 0x404104 VirtualAllocEx

• 0x404108 LoadLibraryA

• 0x40410c Process32Next

• 0x404110 CreateToolhelp32Snapshot

• 0x404114 Module32Next

• 0x404118 CloseHandle

• 0x40411c WriteProcessMemory

• 0x404120 SwitchToThread

• 0x404124 GetSystemWindowsDirectoryA

Library USER32.dll:

• 0x404180 FindWindowA

• 0x404184 CharUpperA

• 0x404188 PostMessageA

Library ADVAPI32.dll:

• 0x404000 RegCreateKeyExA

• 0x404004 RegSetValueExA

• 0x404008 RegQueryValueExA

• 0x40400c RegOpenKeyExA

• 0x404010 RegFlushKey

• 0x404014 RegCloseKey

• 0x404018 OpenProcessToken

• 0x40401c GetTokenInformation

• 0x404020 GetUserNameA

Library ole32.dll:

• 0x4041a0 CoUninitialize

• 0x4041a4 CoCreateInstance

• 0x4041a8 CoInitializeSecurity

• 0x4041ac CoInitializeEx

Library OLEAUT32.dll:

• 0x40414c SysFreeString

• 0x404150 SysAllocString

• 0x404154 VariantClear

• 0x404158 VariantInit

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
lyvyxor.com	A 208.100.26.245	208.100.26.245
qekyqop.com
purydyv.com
qetyvep.com
vojyqem.com
galykes.com
lygymoj.com
vocyzit.com
lymysan.com
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
puzywel.com	A 54.227.98.220
volykyc.com	A 35.225.160.245	35.225.160.245
vonyzuf.com
pufygug.com	A 54.227.98.220	54.227.98.220
lymyxid.com
gaqycos.com
qekykev.com
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
volyqat.com
pumyxiv.com	A 54.227.98.220

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49198	18.235.67.128	80
192.168.56.101	49180	208.100.26.245 lyvyxor.com	80
192.168.56.101	49182	23.253.46.64	80
192.168.56.101	49194	23.253.46.64	80
192.168.56.101	49187	23.80.253.233	80
192.168.56.101	49195	23.80.253.233	80
192.168.56.101	49189	35.225.160.245 volykyc.com	80
192.168.56.101	49190	35.225.160.245 volykyc.com	80
192.168.56.101	49179	54.227.98.220 pumyxiv.com	80
192.168.56.101	49183	54.227.98.220 pumyxiv.com	80
192.168.56.101	49184	54.227.98.220 pumyxiv.com	80
192.168.56.101	49185	54.227.98.220 pumyxiv.com	80
192.168.56.101	49186	54.227.98.220 pumyxiv.com	80
192.168.56.101	49188	54.227.98.220 pumyxiv.com	80
192.168.56.101	49191	54.227.98.220 pumyxiv.com	80
192.168.56.101	49192	54.227.98.220 pumyxiv.com	80
192.168.56.101	49193	54.227.98.220 pumyxiv.com	80
192.168.56.101	49202	54.227.98.220 pumyxiv.com	80
192.168.56.101	49203	54.227.98.220 pumyxiv.com	80
192.168.56.101	49204	54.227.98.220 pumyxiv.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49710	114.114.114.114	53
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50047	114.114.114.114	53
192.168.56.101	50320	114.114.114.114	53
192.168.56.101	50433	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	50849	114.114.114.114	53
192.168.56.101	50921	114.114.114.114	53
192.168.56.101	51137	114.114.114.114	53
192.168.56.101	51162	114.114.114.114	53
192.168.56.101	51326	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51660	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	52124	114.114.114.114	53
192.168.56.101	52126	114.114.114.114	53
192.168.56.101	52345	114.114.114.114	53

HTTP & HTTPS Requests

URI	Data
http://lyvyxor.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://pupybul.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupybul.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://volykyc.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: volykyc.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://lysyfyj.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyfyj.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://qegyhig.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://pumypog.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pumypog.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://www.pupybul.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: www.pupybul.com Connection: Keep-Alive \x9e\x84\xb5\xe8q(
http://puzylyp.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://ganypih.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ganypih.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://puvytuq.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puvytuq.com Content-Length: 6 \x9e\x84\xb5\xe8q(

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.