SmartHawk

16.0

0-day

56 个模型检测该样本为恶意！

重新分析

下载样本

a545a5a3e1497a32a8b05e9aa14f7a9f7eb4b80e7bf281db384d6b8ae536be49

799e9ecf57f205fe316328a1c739a56a.exe

分析耗时

131s

最近分析

文件大小

1.1MB

静态报毒动态报毒 100% AI SCORE=100 AIDETECTVM ARTEMIS AUITINJ AUTINJECT AUTOINJ AUTOIT CLASSIC CONFIDENCE CRYPTINJECT ELDORADO GEN8 GENCIRC GENERICKD GENETIC GRAYWARE HIGH CONFIDENCE HLMKKB INJECT3 KCLOUD MALWARE1 NANOCORE PACK R + MAL REMCOS SCORE SS@8SG957 TROJANAITINJECT UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Artemis!799E9ECF57F2	20201211	6.0.6.653
Alibaba	VirTool:Win32/AutInject.2777c126	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	AutoIt:Injector-JF [Trj]	20201210	21.1.5827.0
Tencent	Malware.Win32.Gencirc.10b0d10f	20201211	1.0.0.1
Kingsoft	Win32.Troj.Undef.(kcloud)	20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619661259.027375 GetComputerNameW	computer_name: OSKAR-PC	success	1	0
1619661271.418375 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649224.860886 IsDebuggerPresent		failed	0	0
1619661264.24675 IsDebuggerPresent		failed	0	0

Command line console output was observed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619661260.652375 WriteConsoleW	buffer: 成功: 成功创建计划任务 "setx"。 console_handle: 0x00000007	success	1	0
1619661272.527375 WriteConsoleW	buffer: 成功: 成功创建计划任务 "setx"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619649227.313886 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 个事件)

domain

daya4659.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (4 个事件)

Time & API	Arguments	Status
1619649225.672886 NtAllocateVirtualMemory	process_identifier: 1476 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01070000	success
1619649225.797886 NtAllocateVirtualMemory	process_identifier: 1476 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01080000	success
1619661268.09075 NtAllocateVirtualMemory	process_identifier: 3308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00c30000	success
1619661268.35575 NtAllocateVirtualMemory	process_identifier: 3308 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00c40000	success

A process attempted to delay the analysis task. (1 个事件)

description

remcos.exe tried to sleep 414 seconds, actually delayed analysis time by 414 seconds

Creates executable files on the filesystem (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs

Creates a suspicious process (4 个事件)

cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
cmdline	schtasks /create /tn setx /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
cmdline	"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
cmdline	C:\Windows\SysWOW64\svchost.exe

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs

A process created a hidden window (4 个事件)

Time & API	Arguments	Status	Return
1619649227.907886 ShellExecuteExW	parameters: /create /tn setx /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F filepath: schtasks filepath_r: schtasks show_type: 0	success	1
1619661257.871375 ShellExecuteExW	parameters: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs show_type: 0	success	1
1619661262.69925 ShellExecuteExW	parameters: /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe" filepath: cmd filepath_r: cmd show_type: 0	success	1
1619661270.57475 ShellExecuteExW	parameters: /create /tn setx /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F filepath: schtasks filepath_r: schtasks show_type: 0	success	1

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	schtasks /create /tn setx /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
cmdline	"C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F

One or more of the buffers contains an embedded PE file (2 个事件)

buffer	Buffer with sha1: acaf4da504194a6727f8ff9d9141e640f454ae9b
buffer	Buffer with sha1: b123672a43a2e85b1248281905693a6721982fc5

Communicates with host for which no DNS query was performed (2 个事件)

host	172.217.24.14
host	58.63.233.69

Allocates execute permission to another process indicative of possible code injection (50 out of 75 个事件)

Time & API	Arguments	Status	Return
1619649225.797886 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619649225.797886 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0
1619661268.35575 NtAllocateVirtualMemory	process_identifier: 3368 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000124 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661268.37175 NtAllocateVirtualMemory	process_identifier: 3368 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000124 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0
1619661270.027125 NtAllocateVirtualMemory	process_identifier: 3472 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000154 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661273.965125 NtAllocateVirtualMemory	process_identifier: 3732 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001d0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661277.715125 NtAllocateVirtualMemory	process_identifier: 3864 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001e4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661280.590125 NtAllocateVirtualMemory	process_identifier: 3968 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661283.043125 NtAllocateVirtualMemory	process_identifier: 4080 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001fc allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661285.574125 NtAllocateVirtualMemory	process_identifier: 3200 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000208 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661287.949125 NtAllocateVirtualMemory	process_identifier: 1752 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000020c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661290.480125 NtAllocateVirtualMemory	process_identifier: 3408 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000021c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661293.559125 NtAllocateVirtualMemory	process_identifier: 3692 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000228 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661296.059125 NtAllocateVirtualMemory	process_identifier: 3784 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000234 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661298.527125 NtAllocateVirtualMemory	process_identifier: 2796 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000240 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661300.871125 NtAllocateVirtualMemory	process_identifier: 3928 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000250 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661303.246125 NtAllocateVirtualMemory	process_identifier: 4036 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000254 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661305.637125 NtAllocateVirtualMemory	process_identifier: 3180 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000264 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661308.090125 NtAllocateVirtualMemory	process_identifier: 2224 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000270 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661310.465125 NtAllocateVirtualMemory	process_identifier: 3700 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000027c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661312.809125 NtAllocateVirtualMemory	process_identifier: 3520 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000288 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661315.215125 NtAllocateVirtualMemory	process_identifier: 3940 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000028c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661317.605125 NtAllocateVirtualMemory	process_identifier: 3156 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000029c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661319.777125 NtAllocateVirtualMemory	process_identifier: 2852 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002a8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661322.152125 NtAllocateVirtualMemory	process_identifier: 1168 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002b4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661324.512125 NtAllocateVirtualMemory	process_identifier: 1856 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002c0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661326.730125 NtAllocateVirtualMemory	process_identifier: 3488 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002c4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661328.980125 NtAllocateVirtualMemory	process_identifier: 984 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002d4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661331.309125 NtAllocateVirtualMemory	process_identifier: 3028 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002e8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661333.699125 NtAllocateVirtualMemory	process_identifier: 2052 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661335.965125 NtAllocateVirtualMemory	process_identifier: 1828 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000002f8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661338.230125 NtAllocateVirtualMemory	process_identifier: 3360 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000308 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661340.465125 NtAllocateVirtualMemory	process_identifier: 3568 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000314 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.512125 NtAllocateVirtualMemory	process_identifier: 3904 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000318 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.559125 NtAllocateVirtualMemory	process_identifier: 1212 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000320 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.605125 NtAllocateVirtualMemory	process_identifier: 4120 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000328 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.621125 NtAllocateVirtualMemory	process_identifier: 4156 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000330 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.699125 NtAllocateVirtualMemory	process_identifier: 4192 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000338 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.730125 NtAllocateVirtualMemory	process_identifier: 4228 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000340 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.809125 NtAllocateVirtualMemory	process_identifier: 4264 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000348 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.840125 NtAllocateVirtualMemory	process_identifier: 4300 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000350 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.902125 NtAllocateVirtualMemory	process_identifier: 4336 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000358 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.980125 NtAllocateVirtualMemory	process_identifier: 4372 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000360 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661340.996125 NtAllocateVirtualMemory	process_identifier: 4408 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000368 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661341.137125 NtAllocateVirtualMemory	process_identifier: 4444 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000370 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661341.184125 NtAllocateVirtualMemory	process_identifier: 4480 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000378 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661341.340125 NtAllocateVirtualMemory	process_identifier: 4516 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000380 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661341.418125 NtAllocateVirtualMemory	process_identifier: 4556 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661341.480125 NtAllocateVirtualMemory	process_identifier: 4592 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000390 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661341.512125 NtAllocateVirtualMemory	process_identifier: 4628 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000398 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496

Installs itself for autorun at Windows startup (50 out of 54 个事件)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos	reg_value	"C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\install.vbs

Manipulates memory of a non-child process indicative of process injection (50 out of 86 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3368 manipulating memory of non-child process 3568
Process injection	Process 3368 manipulating memory of non-child process 3904
Process injection	Process 3368 manipulating memory of non-child process 1212
Process injection	Process 3368 manipulating memory of non-child process 4120
Process injection	Process 3368 manipulating memory of non-child process 4156
Process injection	Process 3368 manipulating memory of non-child process 4192
Process injection	Process 3368 manipulating memory of non-child process 4228
Process injection	Process 3368 manipulating memory of non-child process 4264
Process injection	Process 3368 manipulating memory of non-child process 4300
Process injection	Process 3368 manipulating memory of non-child process 4336
Process injection	Process 3368 manipulating memory of non-child process 4372
Process injection	Process 3368 manipulating memory of non-child process 4408
Process injection	Process 3368 manipulating memory of non-child process 4444
Process injection	Process 3368 manipulating memory of non-child process 4480
Process injection	Process 3368 manipulating memory of non-child process 4516
Process injection	Process 3368 manipulating memory of non-child process 4556
Process injection	Process 3368 manipulating memory of non-child process 4592
Process injection	Process 3368 manipulating memory of non-child process 4628
Process injection	Process 3368 manipulating memory of non-child process 4664
Process injection	Process 3368 manipulating memory of non-child process 4700
Process injection	Process 3368 manipulating memory of non-child process 4736
Process injection	Process 3368 manipulating memory of non-child process 4772
Process injection	Process 3368 manipulating memory of non-child process 4808
Process injection	Process 3368 manipulating memory of non-child process 4844
Process injection	Process 3368 manipulating memory of non-child process 4880
1619661340.465125 NtAllocateVirtualMemory	process_identifier: 3568 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000314 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.512125 NtAllocateVirtualMemory	process_identifier: 3904 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000318 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.559125 NtAllocateVirtualMemory	process_identifier: 1212 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000320 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.605125 NtAllocateVirtualMemory	process_identifier: 4120 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000328 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.621125 NtAllocateVirtualMemory	process_identifier: 4156 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000330 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.699125 NtAllocateVirtualMemory	process_identifier: 4192 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000338 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.730125 NtAllocateVirtualMemory	process_identifier: 4228 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000340 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.809125 NtAllocateVirtualMemory	process_identifier: 4264 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000348 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.840125 NtAllocateVirtualMemory	process_identifier: 4300 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000350 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.902125 NtAllocateVirtualMemory	process_identifier: 4336 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000358 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.980125 NtAllocateVirtualMemory	process_identifier: 4372 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000360 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661340.996125 NtAllocateVirtualMemory	process_identifier: 4408 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000368 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.137125 NtAllocateVirtualMemory	process_identifier: 4444 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000370 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.184125 NtAllocateVirtualMemory	process_identifier: 4480 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000378 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.340125 NtAllocateVirtualMemory	process_identifier: 4516 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000380 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.418125 NtAllocateVirtualMemory	process_identifier: 4556 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000388 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.480125 NtAllocateVirtualMemory	process_identifier: 4592 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000390 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.512125 NtAllocateVirtualMemory	process_identifier: 4628 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000398 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.559125 NtAllocateVirtualMemory	process_identifier: 4664 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.637125 NtAllocateVirtualMemory	process_identifier: 4700 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003a8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.668125 NtAllocateVirtualMemory	process_identifier: 4736 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003b0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.730125 NtAllocateVirtualMemory	process_identifier: 4772 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003b8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.793125 NtAllocateVirtualMemory	process_identifier: 4808 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.887125 NtAllocateVirtualMemory	process_identifier: 4844 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003c8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0
1619661341.934125 NtAllocateVirtualMemory	process_identifier: 4880 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000003d0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496	0

Potential code injection by writing to the memory of another process (50 out of 58 个事件)

Time & API	Arguments	Status	Return
1619649225.813886 WriteProcessMemory	process_identifier: 2080 buffer: process_handle: 0x00000120 base_address: 0xfffde008	success	1
1619661268.37175 WriteProcessMemory	process_identifier: 3368 buffer: process_handle: 0x00000124 base_address: 0xfffde008	success	1
1619661270.027125 WriteProcessMemory	process_identifier: 3472 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000154 base_address: 0x00400000	success	1
1619661270.074125 WriteProcessMemory	process_identifier: 3472 buffer: @ process_handle: 0x00000154 base_address: 0x7efde008	success	1
1619661273.965125 WriteProcessMemory	process_identifier: 3732 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001d0 base_address: 0x00400000	success	1
1619661274.043125 WriteProcessMemory	process_identifier: 3732 buffer: @ process_handle: 0x000001d0 base_address: 0x7efde008	success	1
1619661277.715125 WriteProcessMemory	process_identifier: 3864 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001e4 base_address: 0x00400000	success	1
1619661278.027125 WriteProcessMemory	process_identifier: 3864 buffer: @ process_handle: 0x000001e4 base_address: 0x7efde008	success	1
1619661280.590125 WriteProcessMemory	process_identifier: 3968 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001f0 base_address: 0x00400000	success	1
1619661280.621125 WriteProcessMemory	process_identifier: 3968 buffer: @ process_handle: 0x000001f0 base_address: 0x7efde008	success	1
1619661283.043125 WriteProcessMemory	process_identifier: 4080 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001fc base_address: 0x00400000	success	1
1619661283.105125 WriteProcessMemory	process_identifier: 4080 buffer: @ process_handle: 0x000001fc base_address: 0x7efde008	success	1
1619661285.574125 WriteProcessMemory	process_identifier: 3200 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000208 base_address: 0x00400000	success	1
1619661285.605125 WriteProcessMemory	process_identifier: 3200 buffer: @ process_handle: 0x00000208 base_address: 0x7efde008	success	1
1619661287.949125 WriteProcessMemory	process_identifier: 1752 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000020c base_address: 0x00400000	success	1
1619661288.012125 WriteProcessMemory	process_identifier: 1752 buffer: @ process_handle: 0x0000020c base_address: 0x7efde008	success	1
1619661290.480125 WriteProcessMemory	process_identifier: 3408 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000021c base_address: 0x00400000	success	1
1619661290.512125 WriteProcessMemory	process_identifier: 3408 buffer: @ process_handle: 0x0000021c base_address: 0x7efde008	success	1
1619661293.559125 WriteProcessMemory	process_identifier: 3692 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000228 base_address: 0x00400000	success	1
1619661293.605125 WriteProcessMemory	process_identifier: 3692 buffer: @ process_handle: 0x00000228 base_address: 0x7efde008	success	1
1619661296.059125 WriteProcessMemory	process_identifier: 3784 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000234 base_address: 0x00400000	success	1
1619661296.105125 WriteProcessMemory	process_identifier: 3784 buffer: @ process_handle: 0x00000234 base_address: 0x7efde008	success	1
1619661298.527125 WriteProcessMemory	process_identifier: 2796 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000240 base_address: 0x00400000	success	1
1619661298.559125 WriteProcessMemory	process_identifier: 2796 buffer: @ process_handle: 0x00000240 base_address: 0x7efde008	success	1
1619661300.871125 WriteProcessMemory	process_identifier: 3928 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000250 base_address: 0x00400000	success	1
1619661300.902125 WriteProcessMemory	process_identifier: 3928 buffer: @ process_handle: 0x00000250 base_address: 0x7efde008	success	1
1619661303.246125 WriteProcessMemory	process_identifier: 4036 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000254 base_address: 0x00400000	success	1
1619661303.277125 WriteProcessMemory	process_identifier: 4036 buffer: @ process_handle: 0x00000254 base_address: 0x7efde008	success	1
1619661305.637125 WriteProcessMemory	process_identifier: 3180 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000264 base_address: 0x00400000	success	1
1619661305.668125 WriteProcessMemory	process_identifier: 3180 buffer: @ process_handle: 0x00000264 base_address: 0x7efde008	success	1
1619661308.090125 WriteProcessMemory	process_identifier: 2224 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000270 base_address: 0x00400000	success	1
1619661308.121125 WriteProcessMemory	process_identifier: 2224 buffer: @ process_handle: 0x00000270 base_address: 0x7efde008	success	1
1619661310.465125 WriteProcessMemory	process_identifier: 3700 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000027c base_address: 0x00400000	success	1
1619661310.480125 WriteProcessMemory	process_identifier: 3700 buffer: @ process_handle: 0x0000027c base_address: 0x7efde008	success	1
1619661312.809125 WriteProcessMemory	process_identifier: 3520 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000288 base_address: 0x00400000	success	1
1619661312.824125 WriteProcessMemory	process_identifier: 3520 buffer: @ process_handle: 0x00000288 base_address: 0x7efde008	success	1
1619661315.215125 WriteProcessMemory	process_identifier: 3940 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000028c base_address: 0x00400000	success	1
1619661315.277125 WriteProcessMemory	process_identifier: 3940 buffer: @ process_handle: 0x0000028c base_address: 0x7efde008	success	1
1619661317.605125 WriteProcessMemory	process_identifier: 3156 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000029c base_address: 0x00400000	success	1
1619661317.637125 WriteProcessMemory	process_identifier: 3156 buffer: @ process_handle: 0x0000029c base_address: 0x7efde008	success	1
1619661319.777125 WriteProcessMemory	process_identifier: 2852 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002a8 base_address: 0x00400000	success	1
1619661319.824125 WriteProcessMemory	process_identifier: 2852 buffer: @ process_handle: 0x000002a8 base_address: 0x7efde008	success	1
1619661322.152125 WriteProcessMemory	process_identifier: 1168 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002b4 base_address: 0x00400000	success	1
1619661322.184125 WriteProcessMemory	process_identifier: 1168 buffer: @ process_handle: 0x000002b4 base_address: 0x7efde008	success	1
1619661324.512125 WriteProcessMemory	process_identifier: 1856 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002c0 base_address: 0x00400000	success	1
1619661324.543125 WriteProcessMemory	process_identifier: 1856 buffer: @ process_handle: 0x000002c0 base_address: 0x7efde008	success	1
1619661326.730125 WriteProcessMemory	process_identifier: 3488 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002c4 base_address: 0x00400000	success	1
1619661326.762125 WriteProcessMemory	process_identifier: 3488 buffer: @ process_handle: 0x000002c4 base_address: 0x7efde008	success	1
1619661328.980125 WriteProcessMemory	process_identifier: 984 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002d4 base_address: 0x00400000	success	1
1619661329.012125 WriteProcessMemory	process_identifier: 984 buffer: @ process_handle: 0x000002d4 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (28 个事件)

Time & API	Arguments	Status	Return
1619661270.027125 WriteProcessMemory	process_identifier: 3472 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000154 base_address: 0x00400000	success	1
1619661273.965125 WriteProcessMemory	process_identifier: 3732 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001d0 base_address: 0x00400000	success	1
1619661277.715125 WriteProcessMemory	process_identifier: 3864 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001e4 base_address: 0x00400000	success	1
1619661280.590125 WriteProcessMemory	process_identifier: 3968 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001f0 base_address: 0x00400000	success	1
1619661283.043125 WriteProcessMemory	process_identifier: 4080 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001fc base_address: 0x00400000	success	1
1619661285.574125 WriteProcessMemory	process_identifier: 3200 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000208 base_address: 0x00400000	success	1
1619661287.949125 WriteProcessMemory	process_identifier: 1752 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000020c base_address: 0x00400000	success	1
1619661290.480125 WriteProcessMemory	process_identifier: 3408 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000021c base_address: 0x00400000	success	1
1619661293.559125 WriteProcessMemory	process_identifier: 3692 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000228 base_address: 0x00400000	success	1
1619661296.059125 WriteProcessMemory	process_identifier: 3784 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000234 base_address: 0x00400000	success	1
1619661298.527125 WriteProcessMemory	process_identifier: 2796 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000240 base_address: 0x00400000	success	1
1619661300.871125 WriteProcessMemory	process_identifier: 3928 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000250 base_address: 0x00400000	success	1
1619661303.246125 WriteProcessMemory	process_identifier: 4036 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000254 base_address: 0x00400000	success	1
1619661305.637125 WriteProcessMemory	process_identifier: 3180 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000264 base_address: 0x00400000	success	1
1619661308.090125 WriteProcessMemory	process_identifier: 2224 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000270 base_address: 0x00400000	success	1
1619661310.465125 WriteProcessMemory	process_identifier: 3700 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000027c base_address: 0x00400000	success	1
1619661312.809125 WriteProcessMemory	process_identifier: 3520 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000288 base_address: 0x00400000	success	1
1619661315.215125 WriteProcessMemory	process_identifier: 3940 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000028c base_address: 0x00400000	success	1
1619661317.605125 WriteProcessMemory	process_identifier: 3156 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x0000029c base_address: 0x00400000	success	1
1619661319.777125 WriteProcessMemory	process_identifier: 2852 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002a8 base_address: 0x00400000	success	1
1619661322.152125 WriteProcessMemory	process_identifier: 1168 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002b4 base_address: 0x00400000	success	1
1619661324.512125 WriteProcessMemory	process_identifier: 1856 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002c0 base_address: 0x00400000	success	1
1619661326.730125 WriteProcessMemory	process_identifier: 3488 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002c4 base_address: 0x00400000	success	1
1619661328.980125 WriteProcessMemory	process_identifier: 984 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002d4 base_address: 0x00400000	success	1
1619661331.309125 WriteProcessMemory	process_identifier: 3028 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002e8 base_address: 0x00400000	success	1
1619661333.699125 WriteProcessMemory	process_identifier: 2052 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002f4 base_address: 0x00400000	success	1
1619661335.965125 WriteProcessMemory	process_identifier: 1828 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000002f8 base_address: 0x00400000	success	1
1619661338.230125 WriteProcessMemory	process_identifier: 3360 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000308 base_address: 0x00400000	success	1

Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619661269.324125 SetWindowsHookExA	thread_identifier: 0 callback_function: 0x000b5329 module_address: 0x00000000 hook_identifier: 13 (WH_KEYBOARD_LL)	success	1507721	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (50 out of 60 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1476 called NtSetContextThread to modify thread in remote process 2080
Process injection	Process 3308 called NtSetContextThread to modify thread in remote process 3368
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3472
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3732
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3864
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3968
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 4080
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3200
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 1752
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3408
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3692
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3784
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 2796
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3928
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 4036
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3180
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 2224
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3700
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3520
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3940
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3156
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 2852
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 1168
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 1856
Process injection	Process 3368 called NtSetContextThread to modify thread in remote process 3488
1619649225.813886 NtSetContextThread	thread_handle: 0x00000124 registers.eip: 2010382788 registers.esp: 6748348 registers.edi: 0 registers.eax: 800276 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 process_identifier: 2080	success	0	0
1619661268.37175 NtSetContextThread	thread_handle: 0x00000128 registers.eip: 2010382788 registers.esp: 6748684 registers.edi: 0 registers.eax: 800276 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 process_identifier: 3368	success	0	0
1619661270.074125 NtSetContextThread	thread_handle: 0x00000150 registers.eip: 2010382788 registers.esp: 785308 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3472	success	0	0
1619661274.043125 NtSetContextThread	thread_handle: 0x000001c8 registers.eip: 2010382788 registers.esp: 916732 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3732	success	0	0
1619661278.027125 NtSetContextThread	thread_handle: 0x000001d4 registers.eip: 2010382788 registers.esp: 785956 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3864	success	0	0
1619661280.621125 NtSetContextThread	thread_handle: 0x000001e8 registers.eip: 2010382788 registers.esp: 719464 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3968	success	0	0
1619661283.105125 NtSetContextThread	thread_handle: 0x000001f4 registers.eip: 2010382788 registers.esp: 1046956 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4080	success	0	0
1619661285.605125 NtSetContextThread	thread_handle: 0x00000200 registers.eip: 2010382788 registers.esp: 654324 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3200	success	0	0
1619661288.012125 NtSetContextThread	thread_handle: 0x00000210 registers.eip: 2010382788 registers.esp: 3340380 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1752	success	0	0
1619661290.512125 NtSetContextThread	thread_handle: 0x00000214 registers.eip: 2010382788 registers.esp: 916956 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3408	success	0	0
1619661293.605125 NtSetContextThread	thread_handle: 0x00000220 registers.eip: 2010382788 registers.esp: 2948116 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3692	success	0	0
1619661296.121125 NtSetContextThread	thread_handle: 0x0000022c registers.eip: 2010382788 registers.esp: 1048292 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3784	success	0	0
1619661298.559125 NtSetContextThread	thread_handle: 0x00000238 registers.eip: 2010382788 registers.esp: 3341308 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2796	success	0	0
1619661300.902125 NtSetContextThread	thread_handle: 0x0000024c registers.eip: 2010382788 registers.esp: 1637188 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3928	success	0	0
1619661303.277125 NtSetContextThread	thread_handle: 0x00000258 registers.eip: 2010382788 registers.esp: 1048244 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 4036	success	0	0
1619661305.668125 NtSetContextThread	thread_handle: 0x0000025c registers.eip: 2010382788 registers.esp: 2883288 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3180	success	0	0
1619661308.121125 NtSetContextThread	thread_handle: 0x00000268 registers.eip: 2010382788 registers.esp: 2685244 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2224	success	0	0
1619661310.480125 NtSetContextThread	thread_handle: 0x00000274 registers.eip: 2010382788 registers.esp: 1571492 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3700	success	0	0
1619661312.824125 NtSetContextThread	thread_handle: 0x00000280 registers.eip: 2010382788 registers.esp: 2358400 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3520	success	0	0
1619661315.293125 NtSetContextThread	thread_handle: 0x00000290 registers.eip: 2010382788 registers.esp: 2555836 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3940	success	0	0
1619661317.637125 NtSetContextThread	thread_handle: 0x00000294 registers.eip: 2010382788 registers.esp: 1768724 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3156	success	0	0
1619661319.824125 NtSetContextThread	thread_handle: 0x000002a0 registers.eip: 2010382788 registers.esp: 2030848 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2852	success	0	0
1619661322.184125 NtSetContextThread	thread_handle: 0x000002ac registers.eip: 2010382788 registers.esp: 1441700 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1168	success	0	0
1619661324.543125 NtSetContextThread	thread_handle: 0x000002b8 registers.eip: 2010382788 registers.esp: 2292700 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 1856	success	0	0
1619661326.762125 NtSetContextThread	thread_handle: 0x000002c8 registers.eip: 2010382788 registers.esp: 851588 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3488	success	0	0

One or more non-safelisted processes were created (2 个事件)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"
parent_process	wscript.exe				martian_process	cmd /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 64 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1476 resumed a thread in remote process 2080
Process injection	Process 1476 resumed a thread in remote process 2420
Process injection	Process 3308 resumed a thread in remote process 3368
Process injection	Process 3308 resumed a thread in remote process 3528
Process injection	Process 3368 resumed a thread in remote process 3472
Process injection	Process 3368 resumed a thread in remote process 3732
Process injection	Process 3368 resumed a thread in remote process 3864
Process injection	Process 3368 resumed a thread in remote process 3968
Process injection	Process 3368 resumed a thread in remote process 4080
Process injection	Process 3368 resumed a thread in remote process 3200
Process injection	Process 3368 resumed a thread in remote process 1752
Process injection	Process 3368 resumed a thread in remote process 3408
Process injection	Process 3368 resumed a thread in remote process 3692
Process injection	Process 3368 resumed a thread in remote process 3784
Process injection	Process 3368 resumed a thread in remote process 2796
Process injection	Process 3368 resumed a thread in remote process 3928
Process injection	Process 3368 resumed a thread in remote process 4036
Process injection	Process 3368 resumed a thread in remote process 3180
Process injection	Process 3368 resumed a thread in remote process 2224
Process injection	Process 3368 resumed a thread in remote process 3700
Process injection	Process 3368 resumed a thread in remote process 3520
Process injection	Process 3368 resumed a thread in remote process 3940
Process injection	Process 3368 resumed a thread in remote process 3156
Process injection	Process 3368 resumed a thread in remote process 2852
Process injection	Process 3368 resumed a thread in remote process 1168
1619649226.313886 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2080	success	0	0
1619649227.907886 NtResumeThread	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2420	success	0	0
1619661268.99675 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 3368	success	0	0
1619661270.57475 NtResumeThread	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 3528	success	0	0
1619661270.449125 NtResumeThread	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3472	success	0	0
1619661274.809125 NtResumeThread	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 3732	success	0	0
1619661278.418125 NtResumeThread	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 3864	success	0	0
1619661280.918125 NtResumeThread	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 3968	success	0	0
1619661283.387125 NtResumeThread	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 4080	success	0	0
1619661285.824125 NtResumeThread	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 3200	success	0	0
1619661288.277125 NtResumeThread	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 1752	success	0	0
1619661290.902125 NtResumeThread	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 3408	success	0	0
1619661293.934125 NtResumeThread	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 3692	success	0	0
1619661296.434125 NtResumeThread	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 3784	success	0	0
1619661298.809125 NtResumeThread	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2796	success	0	0
1619661301.137125 NtResumeThread	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 3928	success	0	0
1619661303.496125 NtResumeThread	thread_handle: 0x00000258 suspend_count: 1 process_identifier: 4036	success	0	0
1619661305.934125 NtResumeThread	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 3180	success	0	0
1619661308.371125 NtResumeThread	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2224	success	0	0
1619661310.715125 NtResumeThread	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 3700	success	0	0
1619661313.090125 NtResumeThread	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 3520	success	0	0
1619661315.543125 NtResumeThread	thread_handle: 0x00000290 suspend_count: 1 process_identifier: 3940	success	0	0
1619661317.746125 NtResumeThread	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 3156	success	0	0
1619661320.074125 NtResumeThread	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2852	success	0	0
1619661322.402125 NtResumeThread	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 1168	success	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.160.110:443

Executed a process and injected code into it, probably while unpacking (50 out of 491 个事件)

Time & API	Arguments	Status	Return
1619649225.797886 CreateProcessInternalW	thread_identifier: 392 thread_handle: 0x00000124 process_identifier: 2080 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\799e9ecf57f205fe316328a1c739a56a.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\799e9ecf57f205fe316328a1c739a56a.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000120 inherit_handles: 0	success	1
1619649225.797886 NtGetContextThread	thread_handle: 0x00000124	success	0
1619649225.797886 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619649225.797886 NtAllocateVirtualMemory	process_identifier: 2080 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000120 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0
1619649225.797886 WriteProcessMemory	process_identifier: 2080 buffer: process_handle: 0x00000120 base_address: 0x000b0000	success	1
1619649225.813886 WriteProcessMemory	process_identifier: 2080 buffer: process_handle: 0x00000120 base_address: 0xfffde008	success	1
1619649225.813886 NtSetContextThread	thread_handle: 0x00000124 registers.eip: 2010382788 registers.esp: 6748348 registers.edi: 0 registers.eax: 800276 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 process_identifier: 2080	success	0
1619649226.313886 NtResumeThread	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2080	success	0
1619649227.469886 NtResumeThread	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1476	success	0
1619649227.610886 CreateProcessInternalW	thread_identifier: 944 thread_handle: 0x00000254 process_identifier: 2420 current_directory: C:\Windows\SysWOW64 filepath: C:\Windows\SysWOW64\schtasks.exe track: 1 command_line: "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F filepath_r: C:\Windows\SysWOW64\schtasks.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000002b4 inherit_handles: 0	success	1
1619649227.907886 NtResumeThread	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2420	success	0
1619661257.543375 NtResumeThread	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2080	success	0
1619661257.871375 CreateProcessInternalW	thread_identifier: 2256 thread_handle: 0x00000174 process_identifier: 360 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\install.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000188 inherit_handles: 0	success	1
1619661262.62125 CreateProcessInternalW	thread_identifier: 3228 thread_handle: 0x000002ac process_identifier: 3224 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000002f4 inherit_handles: 0	success	1
1619661263.80975 CreateProcessInternalW	thread_identifier: 3312 thread_handle: 0x00000080 process_identifier: 3308 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe track: 1 command_line: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000084 inherit_handles: 1	success	1
1619661268.35575 CreateProcessInternalW	thread_identifier: 3372 thread_handle: 0x00000128 process_identifier: 3368 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\remcos\remcos.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000124 inherit_handles: 0	success	1
1619661268.35575 NtGetContextThread	thread_handle: 0x00000128	success	0
1619661268.35575 NtAllocateVirtualMemory	process_identifier: 3368 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000124 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	failed	3221225496
1619661268.37175 NtAllocateVirtualMemory	process_identifier: 3368 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000124 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success	0
1619661268.37175 WriteProcessMemory	process_identifier: 3368 buffer: process_handle: 0x00000124 base_address: 0x000b0000	success	1
1619661268.37175 WriteProcessMemory	process_identifier: 3368 buffer: process_handle: 0x00000124 base_address: 0xfffde008	success	1
1619661268.37175 NtSetContextThread	thread_handle: 0x00000128 registers.eip: 2010382788 registers.esp: 6748684 registers.edi: 0 registers.eax: 800276 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 process_identifier: 3368	success	0
1619661268.99675 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 3368	success	0
1619661269.87175 NtResumeThread	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 3308	success	0
1619661270.12175 CreateProcessInternalW	thread_identifier: 3532 thread_handle: 0x00000254 process_identifier: 3528 current_directory: C:\Windows\SysWOW64 filepath: C:\Windows\SysWOW64\schtasks.exe track: 1 command_line: "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F filepath_r: C:\Windows\SysWOW64\schtasks.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x000002b4 inherit_handles: 0	success	1
1619661270.57475 NtResumeThread	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 3528	success	0
1619661270.027125 CreateProcessInternalW	thread_identifier: 3476 thread_handle: 0x00000150 process_identifier: 3472 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000154 inherit_handles: 0	success	1
1619661270.027125 NtGetContextThread	thread_handle: 0x00000150	success	0
1619661270.027125 NtAllocateVirtualMemory	process_identifier: 3472 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000154 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661270.027125 WriteProcessMemory	process_identifier: 3472 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x00000154 base_address: 0x00400000	success	1
1619661270.027125 WriteProcessMemory	process_identifier: 3472 buffer: process_handle: 0x00000154 base_address: 0x00401000	success	1
1619661270.043125 WriteProcessMemory	process_identifier: 3472 buffer: process_handle: 0x00000154 base_address: 0x0048f000	success	1
1619661270.059125 WriteProcessMemory	process_identifier: 3472 buffer: process_handle: 0x00000154 base_address: 0x004bf000	success	1
1619661270.059125 WriteProcessMemory	process_identifier: 3472 buffer: process_handle: 0x00000154 base_address: 0x004c8000	success	1
1619661270.074125 WriteProcessMemory	process_identifier: 3472 buffer: process_handle: 0x00000154 base_address: 0x0051e000	success	1
1619661270.074125 WriteProcessMemory	process_identifier: 3472 buffer: @ process_handle: 0x00000154 base_address: 0x7efde008	success	1
1619661270.074125 NtSetContextThread	thread_handle: 0x00000150 registers.eip: 2010382788 registers.esp: 785308 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3472	success	0
1619661270.449125 NtResumeThread	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3472	success	0
1619661273.949125 CreateProcessInternalW	thread_identifier: 3736 thread_handle: 0x000001c8 process_identifier: 3732 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x000001d0 inherit_handles: 0	success	1
1619661273.965125 NtGetContextThread	thread_handle: 0x000001c8	success	0
1619661273.965125 NtAllocateVirtualMemory	process_identifier: 3732 region_size: 1204224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001d0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619661273.965125 WriteProcessMemory	process_identifier: 3732 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $sRüÁRüÁRüÁCÁPüÁÌ²;ÁSüÁ_@#ÁaüÁ_@ÁãüÁ_@ÁgüÁ[jÁ[üÁ[joÁwüÁRýÁrüÁçÁüÁç#ÁSüÁ_@'ÁSüÁRkÁSüÁç"ÁSüÁRichRüÁPEL\à"à ð@`ª@@@ÌÀ\|ÀWà4qÀ+ PK @ð.textÝßà `.rdataýðþä@@.datatðRâ@À.rsrcÀWX4@@.reloc4qàr@B process_handle: 0x000001d0 base_address: 0x00400000	success	1
1619661273.965125 WriteProcessMemory	process_identifier: 3732 buffer: process_handle: 0x000001d0 base_address: 0x00401000	success	1
1619661273.996125 WriteProcessMemory	process_identifier: 3732 buffer: process_handle: 0x000001d0 base_address: 0x0048f000	success	1
1619661274.012125 WriteProcessMemory	process_identifier: 3732 buffer: process_handle: 0x000001d0 base_address: 0x004bf000	success	1
1619661274.012125 WriteProcessMemory	process_identifier: 3732 buffer: process_handle: 0x000001d0 base_address: 0x004c8000	success	1
1619661274.043125 WriteProcessMemory	process_identifier: 3732 buffer: process_handle: 0x000001d0 base_address: 0x0051e000	success	1
1619661274.043125 WriteProcessMemory	process_identifier: 3732 buffer: @ process_handle: 0x000001d0 base_address: 0x7efde008	success	1
1619661274.043125 NtSetContextThread	thread_handle: 0x000001c8 registers.eip: 2010382788 registers.esp: 916732 registers.edi: 0 registers.eax: 4358154 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3732	success	0
1619661274.809125 NtResumeThread	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 3732	success	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43301293
FireEye	Generic.mg.799e9ecf57f205fe
CAT-QuickHeal	Trojan.Autoit
McAfee	Artemis!799E9ECF57F2
Cylance	Unsafe
SUPERAntiSpyware	Trojan.Agent/Gen-Injector
Sangfor	Malware
K7AntiVirus	Trojan ( 00549f261 )
Alibaba	VirTool:Win32/AutInject.2777c126
K7GW	Trojan ( 00549f261 )
Cybereason	malicious.f57f20
Arcabit	Trojan.Generic.D294B9AD
Cyren	W32/AutoIt.TJ.gen!Eldorado
Symantec	Packed.Generic.548
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Autoit-6985962-0
Kaspersky	HEUR:Trojan.Win32.Autoit.gen
BitDefender	Trojan.GenericKD.43301293
NANO-Antivirus	Trojan.Win32.Autoit.hlmkkb
Avast	AutoIt:Injector-JF [Trj]
Tencent	Malware.Win32.Gencirc.10b0d10f
Ad-Aware	Trojan.GenericKD.43301293
Sophos	Mal/Generic-R + Mal/AuItInj-A
Comodo	TrojWare.Win32.AutoIt.SS@8sg957
F-Secure	Dropper.DR/AutoIt.Gen8
DrWeb	Trojan.Inject3.16009
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.AutoIt.CRYPTINJECT.SMA
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.th
Emsisoft	Trojan.GenericKD.43301293 (B)
Avira	DR/AutoIt.Gen8
Antiy-AVL	GrayWare/Autoit.ShellCode.a
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	VirTool:Win32/AutInject.CZ!bit
ZoneAlarm	HEUR:Trojan.Win32.Autoit.gen
GData	Trojan.GenericKD.43301293
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/AutoInj.Exp
Acronis	suspicious
ALYac	Trojan.GenericKD.43301293
MAX	malware (ai score=100)
VBA32	Backdoor.Remcos
Malwarebytes	Backdoor.Remcos
ESET-NOD32	a variant of Win32/Packed.AutoIt.SS
TrendMicro-HouseCall	Trojan.AutoIt.CRYPTINJECT.SMA
Rising	Trojan.Pack-AutoIt!1.BBAC (CLASSIC)
Ikarus	Trojan.MSIL.NanoCore

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 个事件)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2019-03-16 23:17:19

Imports

Library WSOCK32.dll:

• 0x48f7c8 WSACleanup

• 0x48f7cc socket

• 0x48f7d0 inet_ntoa

• 0x48f7d4 setsockopt

• 0x48f7d8 ntohs

• 0x48f7dc recvfrom

• 0x48f7e0 ioctlsocket

• 0x48f7e4 htons

• 0x48f7e8 WSAStartup

• 0x48f7ec __WSAFDIsSet

• 0x48f7f0 select

• 0x48f7f4 accept

• 0x48f7f8 listen

• 0x48f7fc bind

• 0x48f800 closesocket

• 0x48f804 WSAGetLastError

• 0x48f808 recv

• 0x48f80c sendto

• 0x48f810 send

• 0x48f814 inet_addr

• 0x48f818 gethostbyname

• 0x48f81c gethostname

• 0x48f820 connect

Library VERSION.dll:

• 0x48f76c GetFileVersionInfoW

• 0x48f770 GetFileVersionInfoSizeW

• 0x48f774 VerQueryValueW

Library WINMM.dll:

• 0x48f7b8 timeGetTime

• 0x48f7bc waveOutSetVolume

• 0x48f7c0 mciSendStringW

Library COMCTL32.dll:

• 0x48f088 ImageList_ReplaceIcon

• 0x48f08c ImageList_Destroy

• 0x48f090 ImageList_Remove

• 0x48f094 ImageList_SetDragCursorImage

• 0x48f098 ImageList_BeginDrag

• 0x48f09c ImageList_DragEnter

• 0x48f0a0 ImageList_DragLeave

• 0x48f0a4 ImageList_EndDrag

• 0x48f0a8 ImageList_DragMove

• 0x48f0ac InitCommonControlsEx

• 0x48f0b0 ImageList_Create

Library MPR.dll:

• 0x48f3f8 WNetUseConnectionW

• 0x48f3fc WNetCancelConnection2W

• 0x48f400 WNetGetConnectionW

• 0x48f404 WNetAddConnection2W

Library WININET.dll:

• 0x48f77c InternetQueryDataAvailable

• 0x48f780 InternetCloseHandle

• 0x48f784 InternetOpenW

• 0x48f788 InternetSetOptionW

• 0x48f78c InternetCrackUrlW

• 0x48f790 HttpQueryInfoW

• 0x48f794 InternetQueryOptionW

• 0x48f798 HttpOpenRequestW

• 0x48f79c HttpSendRequestW

• 0x48f7a0 FtpOpenFileW

• 0x48f7a4 FtpGetFileSize

• 0x48f7a8 InternetOpenUrlW

• 0x48f7ac InternetReadFile

• 0x48f7b0 InternetConnectW

Library PSAPI.DLL:

• 0x48f484 GetProcessMemoryInfo

Library IPHLPAPI.DLL:

• 0x48f154 IcmpCreateFile

• 0x48f158 IcmpCloseHandle

• 0x48f15c IcmpSendEcho

Library USERENV.dll:

• 0x48f750 DestroyEnvironmentBlock

• 0x48f754 UnloadUserProfile

• 0x48f758 CreateEnvironmentBlock

• 0x48f75c LoadUserProfileW

Library UxTheme.dll:

• 0x48f764 IsThemeActive

Library KERNEL32.dll:

• 0x48f164 DuplicateHandle

• 0x48f168 CreateThread

• 0x48f16c WaitForSingleObject

• 0x48f170 HeapAlloc

• 0x48f174 GetProcessHeap

• 0x48f178 HeapFree

• 0x48f17c Sleep

• 0x48f180 GetCurrentThreadId

• 0x48f184 MultiByteToWideChar

• 0x48f188 MulDiv

• 0x48f18c GetVersionExW

• 0x48f190 IsWow64Process

• 0x48f194 GetSystemInfo

• 0x48f198 FreeLibrary

• 0x48f19c LoadLibraryA

• 0x48f1a0 GetProcAddress

• 0x48f1a4 SetErrorMode

• 0x48f1a8 GetModuleFileNameW

• 0x48f1ac WideCharToMultiByte

• 0x48f1b0 lstrcpyW

• 0x48f1b4 lstrlenW

• 0x48f1b8 GetModuleHandleW

• 0x48f1bc QueryPerformanceCounter

• 0x48f1c0 VirtualFreeEx

• 0x48f1c4 OpenProcess

• 0x48f1c8 VirtualAllocEx

• 0x48f1cc WriteProcessMemory

• 0x48f1d0 ReadProcessMemory

• 0x48f1d4 CreateFileW

• 0x48f1d8 SetFilePointerEx

• 0x48f1dc SetEndOfFile

• 0x48f1e0 ReadFile

• 0x48f1e4 WriteFile

• 0x48f1e8 FlushFileBuffers

• 0x48f1ec TerminateProcess

• 0x48f1f0 CreateToolhelp32Snapshot

• 0x48f1f4 Process32FirstW

• 0x48f1f8 Process32NextW

• 0x48f1fc SetFileTime

• 0x48f200 GetFileAttributesW

• 0x48f204 FindFirstFileW

• 0x48f208 SetCurrentDirectoryW

• 0x48f20c GetLongPathNameW

• 0x48f210 GetShortPathNameW

• 0x48f214 DeleteFileW

• 0x48f218 FindNextFileW

• 0x48f21c CopyFileExW

• 0x48f220 MoveFileW

• 0x48f224 CreateDirectoryW

• 0x48f228 RemoveDirectoryW

• 0x48f22c SetSystemPowerState

• 0x48f230 QueryPerformanceFrequency

• 0x48f234 FindResourceW

• 0x48f238 LoadResource

• 0x48f23c LockResource

• 0x48f240 SizeofResource

• 0x48f244 EnumResourceNamesW

• 0x48f248 OutputDebugStringW

• 0x48f24c GetTempPathW

• 0x48f250 GetTempFileNameW

• 0x48f254 DeviceIoControl

• 0x48f258 GetLocalTime

• 0x48f25c CompareStringW

• 0x48f260 GetCurrentProcess

• 0x48f264 EnterCriticalSection

• 0x48f268 LeaveCriticalSection

• 0x48f26c GetStdHandle

• 0x48f270 CreatePipe

• 0x48f274 InterlockedExchange

• 0x48f278 TerminateThread

• 0x48f27c LoadLibraryExW

• 0x48f280 FindResourceExW

• 0x48f284 CopyFileW

• 0x48f288 VirtualFree

• 0x48f28c FormatMessageW

• 0x48f290 GetExitCodeProcess

• 0x48f294 GetPrivateProfileStringW

• 0x48f298 WritePrivateProfileStringW

• 0x48f29c GetPrivateProfileSectionW

• 0x48f2a0 WritePrivateProfileSectionW

• 0x48f2a4 GetPrivateProfileSectionNamesW

• 0x48f2a8 FileTimeToLocalFileTime

• 0x48f2ac FileTimeToSystemTime

• 0x48f2b0 SystemTimeToFileTime

• 0x48f2b4 LocalFileTimeToFileTime

• 0x48f2b8 GetDriveTypeW

• 0x48f2bc GetDiskFreeSpaceExW

• 0x48f2c0 GetDiskFreeSpaceW

• 0x48f2c4 GetVolumeInformationW

• 0x48f2c8 SetVolumeLabelW

• 0x48f2cc CreateHardLinkW

• 0x48f2d0 SetFileAttributesW

• 0x48f2d4 CreateEventW

• 0x48f2d8 SetEvent

• 0x48f2dc GetEnvironmentVariableW

• 0x48f2e0 SetEnvironmentVariableW

• 0x48f2e4 GlobalLock

• 0x48f2e8 GlobalUnlock

• 0x48f2ec GlobalAlloc

• 0x48f2f0 GetFileSize

• 0x48f2f4 GlobalFree

• 0x48f2f8 GlobalMemoryStatusEx

• 0x48f2fc Beep

• 0x48f300 GetSystemDirectoryW

• 0x48f304 HeapReAlloc

• 0x48f308 HeapSize

• 0x48f30c GetComputerNameW

• 0x48f310 GetWindowsDirectoryW

• 0x48f314 GetCurrentProcessId

• 0x48f318 GetProcessIoCounters

• 0x48f31c CreateProcessW

• 0x48f320 GetProcessId

• 0x48f324 SetPriorityClass

• 0x48f328 LoadLibraryW

• 0x48f32c VirtualAlloc

• 0x48f330 IsDebuggerPresent

• 0x48f334 GetCurrentDirectoryW

• 0x48f338 lstrcmpiW

• 0x48f33c DecodePointer

• 0x48f340 GetLastError

• 0x48f344 RaiseException

• 0x48f348 InitializeCriticalSectionAndSpinCount

• 0x48f34c DeleteCriticalSection

• 0x48f350 InterlockedDecrement

• 0x48f354 InterlockedIncrement

• 0x48f358 GetCurrentThread

• 0x48f35c CloseHandle

• 0x48f360 GetFullPathNameW

• 0x48f364 EncodePointer

• 0x48f368 ExitProcess

• 0x48f36c GetModuleHandleExW

• 0x48f370 ExitThread

• 0x48f374 GetSystemTimeAsFileTime

• 0x48f378 ResumeThread

• 0x48f37c GetCommandLineW

• 0x48f380 IsProcessorFeaturePresent

• 0x48f384 IsValidCodePage

• 0x48f388 GetACP

• 0x48f38c GetOEMCP

• 0x48f390 GetCPInfo

• 0x48f394 SetLastError

• 0x48f398 UnhandledExceptionFilter

• 0x48f39c SetUnhandledExceptionFilter

• 0x48f3a0 TlsAlloc

• 0x48f3a4 TlsGetValue

• 0x48f3a8 TlsSetValue

• 0x48f3ac TlsFree

• 0x48f3b0 GetStartupInfoW

• 0x48f3b4 GetStringTypeW

• 0x48f3b8 SetStdHandle

• 0x48f3bc GetFileType

• 0x48f3c0 GetConsoleCP

• 0x48f3c4 GetConsoleMode

• 0x48f3c8 RtlUnwind

• 0x48f3cc ReadConsoleW

• 0x48f3d0 GetTimeZoneInformation

• 0x48f3d4 GetDateFormatW

• 0x48f3d8 GetTimeFormatW

• 0x48f3dc LCMapStringW

• 0x48f3e0 GetEnvironmentStringsW

• 0x48f3e4 FreeEnvironmentStringsW

• 0x48f3e8 WriteConsoleW

• 0x48f3ec FindClose

• 0x48f3f0 SetEnvironmentVariableA

Library USER32.dll:

• 0x48f4cc AdjustWindowRectEx

• 0x48f4d0 CopyImage

• 0x48f4d4 SetWindowPos

• 0x48f4d8 GetCursorInfo

• 0x48f4dc RegisterHotKey

• 0x48f4e0 ClientToScreen

• 0x48f4e4 GetKeyboardLayoutNameW

• 0x48f4e8 IsCharAlphaW

• 0x48f4ec IsCharAlphaNumericW

• 0x48f4f0 IsCharLowerW

• 0x48f4f4 IsCharUpperW

• 0x48f4f8 GetMenuStringW

• 0x48f4fc GetSubMenu

• 0x48f500 GetCaretPos

• 0x48f504 IsZoomed

• 0x48f508 MonitorFromPoint

• 0x48f50c GetMonitorInfoW

• 0x48f510 SetWindowLongW

• 0x48f514 SetLayeredWindowAttributes

• 0x48f518 FlashWindow

• 0x48f51c GetClassLongW

• 0x48f520 TranslateAcceleratorW

• 0x48f524 IsDialogMessageW

• 0x48f528 GetSysColor

• 0x48f52c InflateRect

• 0x48f530 DrawFocusRect

• 0x48f534 DrawTextW

• 0x48f538 FrameRect

• 0x48f53c DrawFrameControl

• 0x48f540 FillRect

• 0x48f544 PtInRect

• 0x48f548 DestroyAcceleratorTable

• 0x48f54c CreateAcceleratorTableW

• 0x48f550 SetCursor

• 0x48f554 GetWindowDC

• 0x48f558 GetSystemMetrics

• 0x48f55c GetActiveWindow

• 0x48f560 CharNextW

• 0x48f564 wsprintfW

• 0x48f568 RedrawWindow

• 0x48f56c DrawMenuBar

• 0x48f570 DestroyMenu

• 0x48f574 SetMenu

• 0x48f578 GetWindowTextLengthW

• 0x48f57c CreateMenu

• 0x48f580 IsDlgButtonChecked

• 0x48f584 DefDlgProcW

• 0x48f588 CallWindowProcW

• 0x48f58c ReleaseCapture

• 0x48f590 SetCapture

• 0x48f594 CreateIconFromResourceEx

• 0x48f598 mouse_event

• 0x48f59c ExitWindowsEx

• 0x48f5a0 SetActiveWindow

• 0x48f5a4 FindWindowExW

• 0x48f5a8 EnumThreadWindows

• 0x48f5ac SetMenuDefaultItem

• 0x48f5b0 InsertMenuItemW

• 0x48f5b4 IsMenu

• 0x48f5b8 TrackPopupMenuEx

• 0x48f5bc GetCursorPos

• 0x48f5c0 DeleteMenu

• 0x48f5c4 SetRect

• 0x48f5c8 GetMenuItemID

• 0x48f5cc GetMenuItemCount

• 0x48f5d0 SetMenuItemInfoW

• 0x48f5d4 GetMenuItemInfoW

• 0x48f5d8 SetForegroundWindow

• 0x48f5dc IsIconic

• 0x48f5e0 FindWindowW

• 0x48f5e4 MonitorFromRect

• 0x48f5e8 keybd_event

• 0x48f5ec SendInput

• 0x48f5f0 GetAsyncKeyState

• 0x48f5f4 SetKeyboardState

• 0x48f5f8 GetKeyboardState

• 0x48f5fc GetKeyState

• 0x48f600 VkKeyScanW

• 0x48f604 LoadStringW

• 0x48f608 DialogBoxParamW

• 0x48f60c MessageBeep

• 0x48f610 EndDialog

• 0x48f614 SendDlgItemMessageW

• 0x48f618 GetDlgItem

• 0x48f61c SetWindowTextW

• 0x48f620 CopyRect

• 0x48f624 ReleaseDC

• 0x48f628 GetDC

• 0x48f62c EndPaint

• 0x48f630 BeginPaint

• 0x48f634 GetClientRect

• 0x48f638 GetMenu

• 0x48f63c DestroyWindow

• 0x48f640 EnumWindows

• 0x48f644 GetDesktopWindow

• 0x48f648 IsWindow

• 0x48f64c IsWindowEnabled

• 0x48f650 IsWindowVisible

• 0x48f654 EnableWindow

• 0x48f658 InvalidateRect

• 0x48f65c GetWindowLongW

• 0x48f660 GetWindowThreadProcessId

• 0x48f664 AttachThreadInput

• 0x48f668 GetFocus

• 0x48f66c GetWindowTextW

• 0x48f670 ScreenToClient

• 0x48f674 SendMessageTimeoutW

• 0x48f678 EnumChildWindows

• 0x48f67c CharUpperBuffW

• 0x48f680 GetParent

• 0x48f684 GetDlgCtrlID

• 0x48f688 SendMessageW

• 0x48f68c MapVirtualKeyW

• 0x48f690 PostMessageW

• 0x48f694 GetWindowRect

• 0x48f698 SetUserObjectSecurity

• 0x48f69c CloseDesktop

• 0x48f6a0 CloseWindowStation

• 0x48f6a4 OpenDesktopW

• 0x48f6a8 SetProcessWindowStation

• 0x48f6ac GetProcessWindowStation

• 0x48f6b0 OpenWindowStationW

• 0x48f6b4 GetUserObjectSecurity

• 0x48f6b8 MessageBoxW

• 0x48f6bc DefWindowProcW

• 0x48f6c0 SetClipboardData

• 0x48f6c4 EmptyClipboard

• 0x48f6c8 CountClipboardFormats

• 0x48f6cc CloseClipboard

• 0x48f6d0 GetClipboardData

• 0x48f6d4 IsClipboardFormatAvailable

• 0x48f6d8 OpenClipboard

• 0x48f6dc BlockInput

• 0x48f6e0 GetMessageW

• 0x48f6e4 LockWindowUpdate

• 0x48f6e8 DispatchMessageW

• 0x48f6ec TranslateMessage

• 0x48f6f0 PeekMessageW

• 0x48f6f4 UnregisterHotKey

• 0x48f6f8 CheckMenuRadioItem

• 0x48f6fc CharLowerBuffW

• 0x48f700 MoveWindow

• 0x48f704 SetFocus

• 0x48f708 PostQuitMessage

• 0x48f70c KillTimer

• 0x48f710 CreatePopupMenu

• 0x48f714 RegisterWindowMessageW

• 0x48f718 SetTimer

• 0x48f71c ShowWindow

• 0x48f720 CreateWindowExW

• 0x48f724 RegisterClassExW

• 0x48f728 LoadIconW

• 0x48f72c LoadCursorW

• 0x48f730 GetSysColorBrush

• 0x48f734 GetForegroundWindow

• 0x48f738 MessageBoxA

• 0x48f73c DestroyIcon

• 0x48f740 SystemParametersInfoW

• 0x48f744 LoadImageW

• 0x48f748 GetClassNameW

Library GDI32.dll:

• 0x48f0c4 StrokePath

• 0x48f0c8 DeleteObject

• 0x48f0cc GetTextExtentPoint32W

• 0x48f0d0 ExtCreatePen

• 0x48f0d4 GetDeviceCaps

• 0x48f0d8 EndPath

• 0x48f0dc SetPixel

• 0x48f0e0 CloseFigure

• 0x48f0e4 CreateCompatibleBitmap

• 0x48f0e8 CreateCompatibleDC

• 0x48f0ec SelectObject

• 0x48f0f0 StretchBlt

• 0x48f0f4 GetDIBits

• 0x48f0f8 LineTo

• 0x48f0fc AngleArc

• 0x48f100 MoveToEx

• 0x48f104 Ellipse

• 0x48f108 DeleteDC

• 0x48f10c GetPixel

• 0x48f110 CreateDCW

• 0x48f114 GetStockObject

• 0x48f118 GetTextFaceW

• 0x48f11c CreateFontW

• 0x48f120 SetTextColor

• 0x48f124 PolyDraw

• 0x48f128 BeginPath

• 0x48f12c Rectangle

• 0x48f130 SetViewportOrgEx

• 0x48f134 GetObjectW

• 0x48f138 SetBkMode

• 0x48f13c RoundRect

• 0x48f140 SetBkColor

• 0x48f144 CreatePen

• 0x48f148 CreateSolidBrush

• 0x48f14c StrokeAndFillPath

Library COMDLG32.dll:

• 0x48f0b8 GetOpenFileNameW

• 0x48f0bc GetSaveFileNameW

Library ADVAPI32.dll:

• 0x48f000 GetAce

• 0x48f004 RegEnumValueW

• 0x48f008 RegDeleteValueW

• 0x48f00c RegDeleteKeyW

• 0x48f010 RegEnumKeyExW

• 0x48f014 RegSetValueExW

• 0x48f018 RegOpenKeyExW

• 0x48f01c RegCloseKey

• 0x48f020 RegQueryValueExW

• 0x48f024 RegConnectRegistryW

• 0x48f028 InitializeSecurityDescriptor

• 0x48f02c InitializeAcl

• 0x48f030 AdjustTokenPrivileges

• 0x48f034 OpenThreadToken

• 0x48f038 OpenProcessToken

• 0x48f03c LookupPrivilegeValueW

• 0x48f040 DuplicateTokenEx

• 0x48f044 CreateProcessAsUserW

• 0x48f048 CreateProcessWithLogonW

• 0x48f04c GetLengthSid

• 0x48f050 CopySid

• 0x48f054 LogonUserW

• 0x48f058 AllocateAndInitializeSid

• 0x48f05c CheckTokenMembership

• 0x48f060 RegCreateKeyExW

• 0x48f064 FreeSid

• 0x48f068 GetTokenInformation

• 0x48f06c GetSecurityDescriptorDacl

• 0x48f070 GetAclInformation

• 0x48f074 AddAce

• 0x48f078 SetSecurityDescriptorDacl

• 0x48f07c GetUserNameW

• 0x48f080 InitiateSystemShutdownExW

Library SHELL32.dll:

• 0x48f48c DragQueryPoint

• 0x48f490 ShellExecuteExW

• 0x48f494 DragQueryFileW

• 0x48f498 SHEmptyRecycleBinW

• 0x48f49c SHGetPathFromIDListW

• 0x48f4a0 SHBrowseForFolderW

• 0x48f4a4 SHCreateShellItem

• 0x48f4a8 SHGetDesktopFolder

• 0x48f4ac SHGetSpecialFolderLocation

• 0x48f4b0 SHGetFolderPathW

• 0x48f4b4 SHFileOperationW

• 0x48f4b8 ExtractIconExW

• 0x48f4bc Shell_NotifyIconW

• 0x48f4c0 ShellExecuteW

• 0x48f4c4 DragFinish

Library ole32.dll:

• 0x48f828 CoTaskMemAlloc

• 0x48f82c CoTaskMemFree

• 0x48f830 CLSIDFromString

• 0x48f834 ProgIDFromCLSID

• 0x48f838 CLSIDFromProgID

• 0x48f83c OleSetMenuDescriptor

• 0x48f840 MkParseDisplayName

• 0x48f844 OleSetContainedObject

• 0x48f848 CoCreateInstance

• 0x48f84c IIDFromString

• 0x48f850 StringFromGUID2

• 0x48f854 CreateStreamOnHGlobal

• 0x48f858 OleInitialize

• 0x48f85c OleUninitialize

• 0x48f860 CoInitialize

• 0x48f864 CoUninitialize

• 0x48f868 GetRunningObjectTable

• 0x48f86c CoGetInstanceFromFile

• 0x48f870 CoGetObject

• 0x48f874 CoSetProxyBlanket

• 0x48f878 CoCreateInstanceEx

• 0x48f87c CoInitializeSecurity

Library OLEAUT32.dll:

• 0x48f40c LoadTypeLibEx

• 0x48f410 VariantCopyInd

• 0x48f414 SysReAllocString

• 0x48f418 SysFreeString

• 0x48f41c SafeArrayDestroyDescriptor

• 0x48f420 SafeArrayDestroyData

• 0x48f424 SafeArrayUnaccessData

• 0x48f428 SafeArrayAccessData

• 0x48f42c SafeArrayAllocData

• 0x48f430 SafeArrayAllocDescriptorEx

• 0x48f434 SafeArrayCreateVector

• 0x48f438 RegisterTypeLib

• 0x48f43c CreateStdDispatch

• 0x48f440 DispCallFunc

• 0x48f444 VariantChangeType

• 0x48f448 SysStringLen

• 0x48f44c VariantTimeToSystemTime

• 0x48f450 VarR8FromDec

• 0x48f454 SafeArrayGetVartype

• 0x48f458 VariantCopy

• 0x48f45c VariantClear

• 0x48f460 OleLoadPicture

• 0x48f464 QueryPathOfRegTypeLib

• 0x48f468 RegisterTypeLibForUser

• 0x48f46c UnRegisterTypeLibForUser

• 0x48f470 UnRegisterTypeLib

• 0x48f474 CreateDispTypeInfo

• 0x48f478 SysAllocString

• 0x48f47c VariantInit

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
daya4659.ddns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	51809	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.