12.6
0-day
47 个模型检测该样本为恶意!
重新分析
更多

0ae847362d396ec65a69152f42fc0a8306530da2b05a63c14487f9cb245e9057

639cdf01445ff94e8030fd55369ddb0b.exe

分析耗时

94s

最近分析

文件大小

679.5KB
静态报毒 动态报毒 +CR9UKADB3A AI SCORE=99 ARTEMIS CLOUD COSMU EESA EESO FOUTQE GDSDA GENERICKD GENERICRXGI IGSQ MALWARE@#350Z48SBM5P6J MODERATE CONFIDENCE MORTYSTEALER PLOCK SUSPICIOUS PE TIGGRE TROJANPSW VIGORF VSN05D19 WOGI XIHZP 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!639CDF01445F 20190411 6.0.6.653
Baidu 20190318 1.0.0.2
Alibaba PUA:Application/Generic.c64e8e91 20190402 0.3.0.4
Avast Win32:Trojan-gen 20190411 18.4.3895.0
Tencent Win32.Trojan.Cosmu.Wogi 20190411 1.0.0.1
Kingsoft 20190411 2013.8.14.323
CrowdStrike 20190212 1.0
静态指标
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620775580.725875
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2562392475&cup2hreq=31935f3d2984f1fe3dd57562a1c5ae4a3c951a4ec1b3e1a3ded5cd0d88f53299
Performs some HTTP requests (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2562392475&cup2hreq=31935f3d2984f1fe3dd57562a1c5ae4a3c951a4ec1b3e1a3ded5cd0d88f53299
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2562392475&cup2hreq=31935f3d2984f1fe3dd57562a1c5ae4a3c951a4ec1b3e1a3ded5cd0d88f53299
Allocates read-write-execute memory (usually to unpack itself) (50 out of 16388 个事件)
Time & API Arguments Status Return Repeated
1620775538.86625
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003f0000
success 0 0
1620775580.39725
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
success 0 0
1620775580.39725
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10420000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10430000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10440000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10450000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10460000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10470000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10480000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10490000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104a0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104b0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104c0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104d0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104e0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104f0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10500000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10510000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10520000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10530000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10540000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10550000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10560000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10570000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10580000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10590000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105a0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105b0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105c0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105d0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105e0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105f0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10600000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10610000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10620000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10630000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10640000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10650000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10660000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10670000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10680000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10690000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106a0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106b0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106c0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106d0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106e0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106f0000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10700000
success 0 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10710000
success 0 0
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620775580.67825
NtProtectVirtualMemory
process_identifier: 1632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 77824
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00681000
success 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.8386506281702735 section {'size_of_data': '0x000a8800', 'virtual_address': '0x000c9000', 'entropy': 7.8386506281702735, 'name': 'UPX1', 'virtual_size': '0x000a9000'} description A section with a high entropy has been found
entropy 0.993367722918202 description Overall entropy of this PE file is high
The executable is compressed using UPX (2 个事件)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 113.108.239.196
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (50 out of 17357 个事件)
Time & API Arguments Status Return Repeated
1620775580.27225
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 118784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000118
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1620775580.39725
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
failed 3221225480 0
1620775580.39725
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10420000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10430000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10440000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10450000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10460000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10470000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10480000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10490000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104a0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104b0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104c0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104d0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104e0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104f0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10500000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10510000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10520000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10530000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10540000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10550000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10560000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10570000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10580000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10590000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105a0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105b0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105c0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105d0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105e0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105f0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10600000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10610000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10620000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10630000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10640000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10650000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10660000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10670000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10680000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10690000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106a0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106b0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106c0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106d0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106e0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106f0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10700000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10710000
failed 3221225480 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla reg_value C:\Users\Administrator.Oskar-PC\AppData\Local\Mozilla\MiniCalc.exe
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 250 个事件)
Process injection Process 1632 created a remote thread in non-child process 0
Time & API Arguments Status Return Repeated
1620775580.63125
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 21
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 20
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 20
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 25
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 12
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 9
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 10
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 10
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 18
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 20
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 20
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 12
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 19
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 19
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 8
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 9
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 14
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 15
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 15
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 14
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 16
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 18
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.63125
CreateRemoteThread
thread_identifier: 14
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 12
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 15
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 14
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 9
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 9
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 24
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 14
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 12
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 9
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 8
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 14
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 12
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 15
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 11
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 9
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
1620775580.64725
CreateRemoteThread
thread_identifier: 0
process_identifier: 0
function_address: 0x00000000
flags: 0
process_handle: 0x00000000
parameter: 0x00000000
stack_size: 0
failed 0 0
Manipulates memory of a non-child process indicative of process injection (50 out of 17357 个事件)
Process injection Process 1632 manipulating memory of non-child process 0
Time & API Arguments Status Return Repeated
1620775580.39725
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
failed 3221225480 0
1620775580.39725
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10420000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10430000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10440000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10450000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10460000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10470000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10480000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10490000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104a0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104b0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104c0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104d0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104e0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104f0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10500000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10510000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10520000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10530000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10540000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10550000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10560000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10570000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10580000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10590000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105a0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105b0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105c0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105d0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105e0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105f0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10600000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10610000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10620000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10630000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10640000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10650000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10660000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10670000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10680000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10690000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106a0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106b0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106c0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106d0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106e0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x106f0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10700000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10710000
failed 3221225480 0
Potential code injection by writing to the memory of another process (50 out of 728 个事件)
Process injection Process 1632 injected into non-child 0
Time & API Arguments Status Return Repeated
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ øM™oMM™oMM™oMŽ–0ML™oMDáëML™oMDáüMQ™oMM™nM«™oMŽ–2MN™oMDáìMO™oMj_ML™oMj_MN™oMH•`ML™oMÜðfL'™oMÜðML™oMÜðmLL™oMRichM™oMPELÌћ\à ˜iW @Ð@…üI€p,°° €H `.text  `.rdatar< > @@.data@`J@À.rsrcp,€.P@@.reloc° °~@B.bssÀŒ@@
process_handle: 0x00000118
base_address: 0x00400000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: m@@ž@­@¼@Ë@Ú@ü@ @ @™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(H»ï¾­Þï¾­ÞH¸ï¾­Þï¾­Þÿã¸ï¾­Þéï¾­ÞU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃä;Ad
process_handle: 0x00000118
base_address: 0x00416000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: „Š00 0µ0¼0É0Ð0o1u1|1ƒ1Š1•1¤1³1Â1Ñ1Ü1â1é1ð1÷12 22"2(2/262=2D2N2n2÷:; ;&;1;<;G;R;];h;‡;˜;£;®;¹;Ä;Ï;è;ñ;<!<@<Y<¸<ú<±>Ó>Û> dö0Ü1w4‚4·4Í4Ø4ô455=5D5»5á5ô56…6ò6775778&8­8Ç8é8 99W9˜9ã98;h;Û;à;í;û; <s>ª>Õ>1?H?–?ç?0À20H0f0m0E1Y1n11¨1µ1È1ú1<2³23a3Œ3Î3å3474£5æ5%696I6”6¤6®6µ6¾6Ö677?7Y7c7o7v7‚7‰7•7œ7¨7¯7ô78!8(8u8ƒ8”8ì8þ89992999I9P9\9c9o9v9û9:k:r:y:‚:;;;;b;i;p;y;Ê;ð;G<Y<f<=_=õ=)>×>ý>Õ?@x0Ã0ð0Ì12C3p3 3¦3ì3ó3ç45}5ç5c6u6Ô67,7K7T7Ç8ø9:c;„;¡;¾;Û;(<B<`<­<Ô<ú<=4=Q=n=‹= >>'>.>H>e>‚>Ÿ>¼> ?!?:?P?f?P„0H0Q0q0À0 1?11ü2393I3U33°3Þ4ï47%7,74797@7S7X7d7r7Á7Ë7Ð7Ý7ò7ù78 88V8\8c8m8}8„8 8¹869G9i9p9z99‹9’9ß9æ9ò9ø9ý9:::#:`Ü>D?Ö?pl¹0 1è1ð12·3½3á3õ34 444'4P4W4f4r4ƒ4œ4¢4¬4³4»4Á4Í4×4D5\5a5k5u55‰5“55§5±5»5É5Ð5ô566o6y6ƒ6¥6¯6¹6â6ì6ö67 7'717;7E7•7Ÿ7©7³7Ü7á7æ7ù7þ78 888!8U8Z8_8i8n8s8€8…8Š8—8œ8¡8®8³8¸8é8ö8û89 999$9)939E9R9V9Z9^9b9f9j9n9r9v99Â9Õ9í9::,:2:A:i:‹::¬:²:¾:Í:×:â:û:; ;;&;:;E;N;·;Ô; <'<8<d<Œ<ž<ï< =!=+=V=v={=–=œ=¢=º=Â=È=Ó=ß=å=ð= >>>&>,>7>C>I>U>m>~>ˆ>‘>´>ã>%?¶?Ð?€@U0k0î01(1?1Q1V1\1d1l1w1|1 1µ1º1ã1<2]2x2¨2¯2µ2Ø2ñ2÷233 3;3P3n3y3¦3²3¹3Å3Ñ3Û3á3ç3÷3ÿ34 444%4+434>4D4I4N4Z4p4{4‡4Œ4“44£4¬4²4·4¿4Ê4Û4à4æ4ö45 5555'5-525@5E5L5R5X5_5l5q5}5‚55”5ï5V6c6j6w6§6®6|8þ8 99'909;9c9k9q9|9š9Ä9Ò9ø9!:]::Ò:×:Ü:ã:D;S;c;s;ƒ;“;£;³;Ã;Ó;ã;ó;b<u<…<’<¢<¯<¿<Ì<ã<=9=J=_=l=€=²=a>f>­>ñ>5?y?½?t*0—01¡1×122)2o2˜2Ó2ì2ù203È3à3 4#4Š4Ú45Q5677e7¨7Â7Ï7à788*8l899E9_9Æ9:V:“:Þ;\<c<À<î<;=z=Æ=ø=+>?F? ÈK0—0ž0¦0»0Í0ã0ù0$1n1ñ1ú1ÿ1212J2c2|2•2®2Í2è2+3D3}3å3õ344.4A4T4g4z4–4ê4p56*6:6J6Z6j6z6Š6•6¨6³6É6å67797‰8$9)9B9[9t99¦9¿9Ø9ñ9:+:l:‡:Â:J;Z;m;€;“;¦;¹;Ì;ß;û;J<Q<_<x<Œ<•<ž<k=û=>9>Q>b>t>Þ?ù?°ø21=1B1M1^1c1h1r1†1‹11ž1¦1­1³1Â1Ì1Ñ1Ø1é1ñ1ø1ÿ12 22u2â23U3­3»3Ì3ö3E4`4f4k4v4{4†4‹4•4«4Û4ï4(525G5`5j5w5~5„5‰5Ò5ó56#686E6^6l6†66¤6±6¾6È6Ú6ã6ñ67717>7M7W7x7ƒ7–7Ã7Ð7Ý7ê7÷78N8È89Ë9Ý9ó99;b;z;á;ú;1<Z<d<r<+=3=v=²=¿=5>E>k>|>Á>Æ>Ô>ú>?£?É?Ö?ÀH"0g0…0%1ú1 2e2´23X3‚3Ž3–3 3¦3Ï3Õ3Û3á3ì3ò3ý34444%40464A4G4Q4W4c4h4n4‚44™4ž4¥4±4·4»4Á4Ó4í4 5%5E5^5§5ó5ø5*6G6o6z6Œ6•6ž6¤6³6Ò6Ù6å6ê6 7(7-737?7I7N7o7„7Š7–7ž7¨7®7µ7»7Ü7á7æ7ì7ò7ü788.8W8l8ˆ8•8¡8¸89 9S9ƒ9û9::½:Ñ:Þ:ï:+;i;w;Ž;­;À;Þ;@<E<L<Q<Z<`<e<–<¾<Ê<Ñ<Ö<Û<à<æ<ê<ñ<ü<*=0=¿=Å=Ì=Ò=è=ò=>,>2>8>?>C>_>e>Ž>•>£>¸>À>?a?¿?Æ?иU0Î011-1U1f1t1š1­1è1ø1282e2u2~2…2´2Ä2Í2Ô2Q3v3€3Ž3´3Û3(494n4Ž4¢4®4ó4 5+5C5€5¥5µ5¾5Å5i7p7Ž7£7·7Ò7ü7-888W8q8²8»8ç8ò89D9b9p9Ä9Ö9ú9m:¯:Q;»;â;<Œ<¹<Ï<Þ<==A=œ=¤=¬=·=Ã=Î=ã=ë=û=àp<2{223H3\3p3í4å5ˆ6Ÿ6´6¾6Ë627\7a7i7p7µ7Ê7â7í7þ78*838ˆ8¡8¬89L9{9Ÿ9¦9::V:y:¬:Ö:;';j;²;Í;Á<é<>S>q>>ð$q0w0ä0ñ0þ0n1w1…1”1¦1±1¼1Ô1ß1þ12?2J2W2b22«2¿2Í2Ô2Û23 3=3B3I3V3_3h3~33–3®3·3Á3Ë3Ò3444G4R4_4y4~4‹4š4£4ª4Õ4ß4î4ù4þ4 55Ü5õ5!6:6h66«6³6Î6è6747^7™7°7·7J8U8f8m88–8º8È8Ï8Ö89"9V9a99’9±9»9Ò9::1:^:k:…::\;ˆ;Ç;è;Ð<Û<ä<ô<û<= ===B=M=S=b=h=r=x=|=Ÿ=¥=ª=¾=Ê=Ò=Ø=ë=I>c>’>¨>q?‰?¥?Æ?Ú?æ?¼¶0Â0Ø0Ý0õ0&1.1B1Q1n1‹1l2ˆ2”2œ2¨2¿2ç233(3Ê3î3û34454i6„66–6œ6±6ç6ð6ö677/7F7 8e8 949r9w9¸9ö9: :::J:]:h:~:¦:¸:¿:è:ï:=;M;a;š;Ÿ;¬; <!<=@==ž=©=¸=Â=Ñ=Û=å=;>@>N>]>:?A?z??Œ?à?ç? ;0l0™0Æ0ù01'111;1E1“1®1¸1Ç1Í1Ü1÷1222%2@2J2Y2_2n2‰2“2ž2¤2°2Ë2Õ2à2æ2ð2 33 3*343B3G3L3Q3V3º3×3ô3424F4`4g4w4~4¨4n5z55‡55•5¨5­5²5·5¾5Å5É5Ï5í5÷56 66 À@4D4Ô4Ø4Ü4à4ä4è4ì4ð4ô4ø4ü4555 55555 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5€5„5ˆ5Œ55”5˜5œ5 5¤5¨5¬5°5´5¸5¼5À5Ä5È5Ì5Ð5Ô5Ø5Ü5à5ä5è5ì5ð5ô5ø5ü5666 66666 6$6(6,60646860Ä;È;Ì;ä;è;ì;@8t6x6Ð6Ô6Ø6Ü6à677€7„7˜7œ7 7¤788 8$8(8,80848` 00 00000 0$0(0x5
process_handle: 0x00000118
base_address: 0x0041b000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: 2ú©‘ñÑËf  É`‚‘:©ªÏÞ RíˆØ)dë´ /˜Ot$ÄX~V¹†:W;OÚ¿ÿÍp–YÞ•yG…§Š$&‘¸)ã »ælU”Bgr}Bñ5¤ã—ÓE¶üŽÆ‡¡å‘QLb¨ùfö¤õWœ1i¶‡ Ƈ”`Éùù*¢Ñ«œ‰x†>bÎÓBĸw ¨ý üleˆ±×Ò?°}¿
process_handle: 0x00000118
base_address: 0x0041c000
success 1 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ×I5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄø‹E‹‰Uø‹P‰UüÿuüÿUøYY]ÂU‹ìƒÄôSV‰Uü‹ð‹EüèÛùÿ3ÀUhÓFdÿ0d‰ 3ÛhÓFh ÓFè¡ùÿPè¡ùÿ‰Eô‹Eüè»ùÿ‹Ð‹ÆèVþÿÿ‰EøjjMôºÔÒF‹Æèÿÿÿ…ÀtPèâŸùÿ³jdèá¡ùÿ3ÀZYYd‰hˆÓFEüè°zùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: DeleteCriticalSection
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: LeaveCriticalSection
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: EnterCriticalSection
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: InitializeCriticalSection
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: VirtualFree
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: VirtualAlloc
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: LocalFree
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: LocalAlloc
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: GetVersion
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: GetCurrentThreadId
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: InterlockedDecrement
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: InterlockedIncrement
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: VirtualQuery
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: WideCharToMultiByte
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‰Mø‰Uü‹Ø‹u3ÿhèÕFhüÕFèïžùÿPèñžùÿ‰EèhÖFhüÕFèמùÿPèٞùÿ‰EähÖFhüÕF连ùÿPèÁžùÿ‰Eàƒþu‹Eø‰Eðë‹Î‹Uø‹Ãè‘üÿÿ‰Eð‹Uü‹Ãèìûÿÿ‰EìjjMàºøÔF‹Ãèžüÿÿ‹Ø…ÛtjÿS謟ùÿEôPSè*žùÿ‹}ô‹Ç_^[‹å]ÂGetModuleHandleAkernel32GetProcAddressExitThreadU‹ìƒÄø‰Uø‰Eü‹Eüè܍ùÿ‹Eøè¤|ùÿ3ÀUh©ÖFdÿ0d‰ ‹Eü蒋ùÿ@PEü¹‹\ÎFè9ùÿƒÄ‹Eüèr‹ùÿ‹UüD‚ü‹Uøèÿwùÿ3ÀZYYd‰h°ÖFEøè–wùÿEü‹\ÎFèùÿÃ
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
1620775580.63125
WriteProcessMemory
process_identifier: 0
buffer: MultiByteToWideChar
process_handle: 0x00000000
base_address: 0x00000000
failed 0 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ øM™oMM™oMM™oMŽ–0ML™oMDáëML™oMDáüMQ™oMM™nM«™oMŽ–2MN™oMDáìMO™oMj_ML™oMj_MN™oMH•`ML™oMÜðfL'™oMÜðML™oMÜðmLL™oMRichM™oMPELÌћ\à ˜iW @Ð@…üI€p,°° €H `.text  `.rdatar< > @@.data@`J@À.rsrcp,€.P@@.reloc° °~@B.bssÀŒ@@
process_handle: 0x00000118
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1632 called NtSetContextThread to modify thread in remote process 2864
Time & API Arguments Status Return Repeated
1620775580.27225
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4216681
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2864
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1632 resumed a thread in remote process 2864
Time & API Arguments Status Return Repeated
1620775580.36625
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2864
success 0 0
Executed a process and injected code into it, probably while unpacking (50 out of 18343 个事件)
Time & API Arguments Status Return Repeated
1620775580.27225
CreateProcessInternalW
thread_identifier: 2856
thread_handle: 0x00000124
process_identifier: 2864
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\639cdf01445ff94e8030fd55369ddb0b.exe
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\639cdf01445ff94e8030fd55369ddb0b.exe"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\639cdf01445ff94e8030fd55369ddb0b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000118
inherit_handles: 0
success 1 0
1620775580.27225
NtGetContextThread
thread_handle: 0x00000124
success 0 0
1620775580.27225
NtUnmapViewOfSection
process_identifier: 2864
region_size: 4096
process_handle: 0x00000118
base_address: 0x00400000
success 0 0
1620775580.27225
NtAllocateVirtualMemory
process_identifier: 2864
region_size: 118784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000118
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ øM™oMM™oMM™oMŽ–0ML™oMDáëML™oMDáüMQ™oMM™nM«™oMŽ–2MN™oMDáìMO™oMj_ML™oMj_MN™oMH•`ML™oMÜðfL'™oMÜðML™oMÜðmLL™oMRichM™oMPELÌћ\à ˜iW @Ð@…üI€p,°° €H `.text  `.rdatar< > @@.data@`J@À.rsrcp,€.P@@.reloc° °~@B.bssÀŒ@@
process_handle: 0x00000118
base_address: 0x00400000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer:
process_handle: 0x00000118
base_address: 0x00401000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer:
process_handle: 0x00000118
base_address: 0x00412000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: m@@ž@­@¼@Ë@Ú@ü@ @ @™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(H»ï¾­Þï¾­ÞH¸ï¾­Þï¾­Þÿã¸ï¾­Þéï¾­ÞU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃä;Ad
process_handle: 0x00000118
base_address: 0x00416000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer:
process_handle: 0x00000118
base_address: 0x00418000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: „Š00 0µ0¼0É0Ð0o1u1|1ƒ1Š1•1¤1³1Â1Ñ1Ü1â1é1ð1÷12 22"2(2/262=2D2N2n2÷:; ;&;1;<;G;R;];h;‡;˜;£;®;¹;Ä;Ï;è;ñ;<!<@<Y<¸<ú<±>Ó>Û> dö0Ü1w4‚4·4Í4Ø4ô455=5D5»5á5ô56…6ò6775778&8­8Ç8é8 99W9˜9ã98;h;Û;à;í;û; <s>ª>Õ>1?H?–?ç?0À20H0f0m0E1Y1n11¨1µ1È1ú1<2³23a3Œ3Î3å3474£5æ5%696I6”6¤6®6µ6¾6Ö677?7Y7c7o7v7‚7‰7•7œ7¨7¯7ô78!8(8u8ƒ8”8ì8þ89992999I9P9\9c9o9v9û9:k:r:y:‚:;;;;b;i;p;y;Ê;ð;G<Y<f<=_=õ=)>×>ý>Õ?@x0Ã0ð0Ì12C3p3 3¦3ì3ó3ç45}5ç5c6u6Ô67,7K7T7Ç8ø9:c;„;¡;¾;Û;(<B<`<­<Ô<ú<=4=Q=n=‹= >>'>.>H>e>‚>Ÿ>¼> ?!?:?P?f?P„0H0Q0q0À0 1?11ü2393I3U33°3Þ4ï47%7,74797@7S7X7d7r7Á7Ë7Ð7Ý7ò7ù78 88V8\8c8m8}8„8 8¹869G9i9p9z99‹9’9ß9æ9ò9ø9ý9:::#:`Ü>D?Ö?pl¹0 1è1ð12·3½3á3õ34 444'4P4W4f4r4ƒ4œ4¢4¬4³4»4Á4Í4×4D5\5a5k5u55‰5“55§5±5»5É5Ð5ô566o6y6ƒ6¥6¯6¹6â6ì6ö67 7'717;7E7•7Ÿ7©7³7Ü7á7æ7ù7þ78 888!8U8Z8_8i8n8s8€8…8Š8—8œ8¡8®8³8¸8é8ö8û89 999$9)939E9R9V9Z9^9b9f9j9n9r9v99Â9Õ9í9::,:2:A:i:‹::¬:²:¾:Í:×:â:û:; ;;&;:;E;N;·;Ô; <'<8<d<Œ<ž<ï< =!=+=V=v={=–=œ=¢=º=Â=È=Ó=ß=å=ð= >>>&>,>7>C>I>U>m>~>ˆ>‘>´>ã>%?¶?Ð?€@U0k0î01(1?1Q1V1\1d1l1w1|1 1µ1º1ã1<2]2x2¨2¯2µ2Ø2ñ2÷233 3;3P3n3y3¦3²3¹3Å3Ñ3Û3á3ç3÷3ÿ34 444%4+434>4D4I4N4Z4p4{4‡4Œ4“44£4¬4²4·4¿4Ê4Û4à4æ4ö45 5555'5-525@5E5L5R5X5_5l5q5}5‚55”5ï5V6c6j6w6§6®6|8þ8 99'909;9c9k9q9|9š9Ä9Ò9ø9!:]::Ò:×:Ü:ã:D;S;c;s;ƒ;“;£;³;Ã;Ó;ã;ó;b<u<…<’<¢<¯<¿<Ì<ã<=9=J=_=l=€=²=a>f>­>ñ>5?y?½?t*0—01¡1×122)2o2˜2Ó2ì2ù203È3à3 4#4Š4Ú45Q5677e7¨7Â7Ï7à788*8l899E9_9Æ9:V:“:Þ;\<c<À<î<;=z=Æ=ø=+>?F? ÈK0—0ž0¦0»0Í0ã0ù0$1n1ñ1ú1ÿ1212J2c2|2•2®2Í2è2+3D3}3å3õ344.4A4T4g4z4–4ê4p56*6:6J6Z6j6z6Š6•6¨6³6É6å67797‰8$9)9B9[9t99¦9¿9Ø9ñ9:+:l:‡:Â:J;Z;m;€;“;¦;¹;Ì;ß;û;J<Q<_<x<Œ<•<ž<k=û=>9>Q>b>t>Þ?ù?°ø21=1B1M1^1c1h1r1†1‹11ž1¦1­1³1Â1Ì1Ñ1Ø1é1ñ1ø1ÿ12 22u2â23U3­3»3Ì3ö3E4`4f4k4v4{4†4‹4•4«4Û4ï4(525G5`5j5w5~5„5‰5Ò5ó56#686E6^6l6†66¤6±6¾6È6Ú6ã6ñ67717>7M7W7x7ƒ7–7Ã7Ð7Ý7ê7÷78N8È89Ë9Ý9ó99;b;z;á;ú;1<Z<d<r<+=3=v=²=¿=5>E>k>|>Á>Æ>Ô>ú>?£?É?Ö?ÀH"0g0…0%1ú1 2e2´23X3‚3Ž3–3 3¦3Ï3Õ3Û3á3ì3ò3ý34444%40464A4G4Q4W4c4h4n4‚44™4ž4¥4±4·4»4Á4Ó4í4 5%5E5^5§5ó5ø5*6G6o6z6Œ6•6ž6¤6³6Ò6Ù6å6ê6 7(7-737?7I7N7o7„7Š7–7ž7¨7®7µ7»7Ü7á7æ7ì7ò7ü788.8W8l8ˆ8•8¡8¸89 9S9ƒ9û9::½:Ñ:Þ:ï:+;i;w;Ž;­;À;Þ;@<E<L<Q<Z<`<e<–<¾<Ê<Ñ<Ö<Û<à<æ<ê<ñ<ü<*=0=¿=Å=Ì=Ò=è=ò=>,>2>8>?>C>_>e>Ž>•>£>¸>À>?a?¿?Æ?иU0Î011-1U1f1t1š1­1è1ø1282e2u2~2…2´2Ä2Í2Ô2Q3v3€3Ž3´3Û3(494n4Ž4¢4®4ó4 5+5C5€5¥5µ5¾5Å5i7p7Ž7£7·7Ò7ü7-888W8q8²8»8ç8ò89D9b9p9Ä9Ö9ú9m:¯:Q;»;â;<Œ<¹<Ï<Þ<==A=œ=¤=¬=·=Ã=Î=ã=ë=û=àp<2{223H3\3p3í4å5ˆ6Ÿ6´6¾6Ë627\7a7i7p7µ7Ê7â7í7þ78*838ˆ8¡8¬89L9{9Ÿ9¦9::V:y:¬:Ö:;';j;²;Í;Á<é<>S>q>>ð$q0w0ä0ñ0þ0n1w1…1”1¦1±1¼1Ô1ß1þ12?2J2W2b22«2¿2Í2Ô2Û23 3=3B3I3V3_3h3~33–3®3·3Á3Ë3Ò3444G4R4_4y4~4‹4š4£4ª4Õ4ß4î4ù4þ4 55Ü5õ5!6:6h66«6³6Î6è6747^7™7°7·7J8U8f8m88–8º8È8Ï8Ö89"9V9a99’9±9»9Ò9::1:^:k:…::\;ˆ;Ç;è;Ð<Û<ä<ô<û<= ===B=M=S=b=h=r=x=|=Ÿ=¥=ª=¾=Ê=Ò=Ø=ë=I>c>’>¨>q?‰?¥?Æ?Ú?æ?¼¶0Â0Ø0Ý0õ0&1.1B1Q1n1‹1l2ˆ2”2œ2¨2¿2ç233(3Ê3î3û34454i6„66–6œ6±6ç6ð6ö677/7F7 8e8 949r9w9¸9ö9: :::J:]:h:~:¦:¸:¿:è:ï:=;M;a;š;Ÿ;¬; <!<=@==ž=©=¸=Â=Ñ=Û=å=;>@>N>]>:?A?z??Œ?à?ç? ;0l0™0Æ0ù01'111;1E1“1®1¸1Ç1Í1Ü1÷1222%2@2J2Y2_2n2‰2“2ž2¤2°2Ë2Õ2à2æ2ð2 33 3*343B3G3L3Q3V3º3×3ô3424F4`4g4w4~4¨4n5z55‡55•5¨5­5²5·5¾5Å5É5Ï5í5÷56 66 À@4D4Ô4Ø4Ü4à4ä4è4ì4ð4ô4ø4ü4555 55555 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5€5„5ˆ5Œ55”5˜5œ5 5¤5¨5¬5°5´5¸5¼5À5Ä5È5Ì5Ð5Ô5Ø5Ü5à5ä5è5ì5ð5ô5ø5ü5666 66666 6$6(6,60646860Ä;È;Ì;ä;è;ì;@8t6x6Ð6Ô6Ø6Ü6à677€7„7˜7œ7 7¤788 8$8(8,80848` 00 00000 0$0(0x5
process_handle: 0x00000118
base_address: 0x0041b000
success 1 0
1620775580.27225
WriteProcessMemory
process_identifier: 2864
buffer: 2ú©‘ñÑËf  É`‚‘:©ªÏÞ RíˆØ)dë´ /˜Ot$ÄX~V¹†:W;OÚ¿ÿÍp–YÞ•yG…§Š$&‘¸)ã »ælU”Bgr}Bñ5¤ã—ÓE¶üŽÆ‡¡å‘QLb¨ùfö¤õWœ1i¶‡ Ƈ”`Éùù*¢Ñ«œ‰x†>bÎÓBĸw ¨ý üleˆ±×Ò?°}¿
process_handle: 0x00000118
base_address: 0x0041c000
success 1 0
1620775580.27225
NtSetContextThread
thread_handle: 0x00000124
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4216681
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2864
success 0 0
1620775580.36625
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2864
success 0 0
1620775580.39725
CreateProcessInternalW
thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: RdpSaUacHelper.exe
filepath_r:
stack_pivoted: 0
creation_flags: 68 (CREATE_SUSPENDED|IDLE_PRIORITY_CLASS)
process_handle: 0x00000000
inherit_handles: 0
failed 0 0
1620775580.39725
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
failed 3221225480 0
1620775580.39725
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10420000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10430000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10440000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10450000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10460000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10470000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10480000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10490000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104a0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104b0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104c0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104d0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104e0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x104f0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10500000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10510000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10520000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10530000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10540000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10550000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10560000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10570000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10580000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10590000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105a0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105b0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105c0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105d0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105e0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x105f0000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10600000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10610000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10620000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10630000
failed 3221225480 0
1620775580.41325
NtAllocateVirtualMemory
process_identifier: 0
region_size: 110592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10640000
failed 3221225480 0
File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 个事件)
MicroWorld-eScan Trojan.GenericKD.31859020
CAT-QuickHeal Trojan.Cosmu
McAfee Artemis!639CDF01445F
Malwarebytes Trojan.Injector
Zillya Trojan.Cosmu.Win32.15903
BitDefender Trojan.GenericKD.31859020
K7GW Trojan ( 0054b34e1 )
K7AntiVirus Trojan ( 0054b34e1 )
Arcabit Trojan.Generic.D1E6214C
ESET-NOD32 a variant of Win32/Injector.EESO
TrendMicro-HouseCall TROJ_FRS.VSN05D19
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Cosmu.gen
Alibaba PUA:Application/Generic.c64e8e91
NANO-Antivirus Trojan.Win32.Cosmu.foutqe
AegisLab Trojan.Win32.Cosmu.4!c
Avast Win32:Trojan-gen
Tencent Win32.Trojan.Cosmu.Wogi
Endgame malicious (moderate confidence)
Emsisoft Trojan.GenericKD.31859020 (B)
Comodo Malware@#350z48sbm5p6j
F-Secure Trojan.TR/AD.MortyStealer.xihzp
DrWeb Trojan.PWS.Stealer.23680
Invincea heuristic
McAfee-GW-Edition GenericRXGI-CF!F288B7FADC2F
FireEye Generic.mg.639cdf01445ff94e
Sophos Mal/Generic-S
SentinelOne DFI - Suspicious PE
Cyren W32/Trojan.IGSQ-2513
Avira TR/AD.MortyStealer.xihzp
MAX malware (ai score=99)
Antiy-AVL Trojan/Win32.Cosmu
Microsoft Trojan:Win32/Tiggre!plock
AhnLab-V3 Trojan/Win32.Injector.C3143200
ZoneAlarm HEUR:Trojan.Win32.Cosmu.gen
GData Trojan.GenericKD.31859020
VBA32 TrojanPSW.Vigorf
ALYac Trojan.GenericKD.31859020
Ad-Aware Trojan.GenericKD.31859020
Zoner Trojan.Win32.76531
Rising Trojan.Injector!8.C4 (CLOUD)
Yandex Trojan.Cosmu!+cr9ukADB3A
Ikarus Trojan.Inject
Fortinet W32/Cosmu.EESA!tr
AVG Win32:Trojan-gen
Panda Trj/GdSda.A
Qihoo-360 Win32/Trojan.32b
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library KERNEL32.DLL:
0x572e3c LoadLibraryA
0x572e40 GetProcAddress
0x572e44 VirtualProtect
0x572e48 ExitProcess
Library advapi32.dll:
0x572e50 RegCloseKey
Library comctl32.dll:
0x572e58 ImageList_Add
Library comdlg32.dll:
0x572e60 GetSaveFileNameA
Library gdi32.dll:
0x572e68 SaveDC
Library ole32.dll:
0x572e70 OleDraw
Library oleaut32.dll:
0x572e78 VariantCopy
Library shell32.dll:
0x572e80 ShellExecuteA
Library SHFolder.dll:
0x572e88 SHGetFolderPathA
Library user32.dll:
0x572e90 GetDC
Library version.dll:
0x572e98 VerQueryValueA
Library winspool.drv:
0x572ea0 OpenPrinterA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49187 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.