11.4
0-day
52 个模型检测该样本为恶意!
重新分析
更多

03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969

7cd651329281022f1754aa0160acfa1b.exe

分析耗时

82s

最近分析

文件大小

1.5MB
静态报毒 动态报毒 100% AGEN AI SCORE=80 AIDETECT AMCS ARTEMIS AUITINJ AUTINJECT AUTOINJ AUTOIT CONFIDENCE CRYPTINJECT DOWNLOADER27 ELDORADO FPTTYQ GAMEHACK GENERICKD GRAYWARE HACKTOOL HIGH CONFIDENCE MALWARE1 MALWARE@#VUYELN97CALU REBHIP S + MAL SAVE SCORE SPYNET SUSGEN TROJANAITINJECT UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!7CD651329281 20210225 6.0.6.653
Alibaba VirTool:Win32/AutInject.21d271cb 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast AutoIt:Injector-JF [Trj] 20210225 21.1.5827.0
Tencent Win32.Trojan.Autoit.Amcs 20210225 1.0.0.1
Kingsoft 20210225 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
静态指标
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620947587.185
IsDebuggerPresent
failed 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Connects to a Dynamic DNS Domain (1 个事件)
domain redlan1.hopto.org
Allocates read-write-execute memory (usually to unpack itself) (5 个事件)
Time & API Arguments Status Return Repeated
1620947594.42
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x03090000
success 0 0
1620947594.513
NtAllocateVirtualMemory
process_identifier: 2120
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x034d0000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 397312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
success 0 0
1620947597.247498
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 270336
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10411000
success 0 0
1620947597.247498
NtProtectVirtualMemory
process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 118784
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10453000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\PerceptionSimulationService\chgusr.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\PerceptionSimulationService\vssadmin.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\PerceptionSimulationService\chgusr.exe
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620947589.107
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
网络通信
One or more of the buffers contains an embedded PE file (3 个事件)
buffer Buffer with sha1: 5ba8f67af08afcf4b5d109b393af32658b11e8b7
buffer Buffer with sha1: 1494a9cab355ffc21252fed0a10e638d28c512c1
buffer Buffer with sha1: 52abf3238b766861124e48b85e96d1c3e8dad0b8
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (50 out of 133 个事件)
Time & API Arguments Status Return Repeated
1620947594.513
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000408
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1620947594.513
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000408
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 397312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001f0000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00200000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00610000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00620000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00670000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006c0000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006d0000
success 0 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006e0000
success 0 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006f0000
success 0 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00700000
success 0 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00710000
success 0 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007a0000
success 0 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007b0000
success 0 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007c0000
success 0 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007d0000
success 0 0
1620947596.528498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1620947596.528498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007f0000
success 0 0
1620947596.528498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00800000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00810000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00820000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00830000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00840000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00850000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00860000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00870000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00890000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008a0000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008b0000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008c0000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00b90000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00ba0000
success 0 0
1620947596.559498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00bb0000
success 0 0
1620947596.559498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00bc0000
success 0 0
1620947596.559498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00bd0000
success 0 0
1620947596.559498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00be0000
success 0 0
1620947596.669498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c50000
success 0 0
1620947596.669498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c60000
success 0 0
1620947596.669498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01070000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vssadmin.url
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (38 个事件)
Process injection Process 2620 created a remote thread in non-child process 2208
Time & API Arguments Status Return Repeated
1620947596.372498
CreateRemoteThread
thread_identifier: 1908
process_identifier: 2208
function_address: 0x00110000
flags: 0
process_handle: 0x000000b4
parameter: 0x00100000
stack_size: 0
success 188 0
1620947596.387498
CreateRemoteThread
thread_identifier: 624
process_identifier: 2208
function_address: 0x00150000
flags: 0
process_handle: 0x000000b4
parameter: 0x00140000
stack_size: 0
success 188 0
1620947596.481498
CreateRemoteThread
thread_identifier: 1940
process_identifier: 2208
function_address: 0x00610000
flags: 0
process_handle: 0x000000b4
parameter: 0x00200000
stack_size: 0
success 184 0
1620947596.497498
CreateRemoteThread
thread_identifier: 1948
process_identifier: 2208
function_address: 0x006d0000
flags: 0
process_handle: 0x000000b4
parameter: 0x006c0000
stack_size: 0
success 204 0
1620947596.512498
CreateRemoteThread
thread_identifier: 1888
process_identifier: 2208
function_address: 0x00710000
flags: 0
process_handle: 0x000000b4
parameter: 0x00700000
stack_size: 0
success 208 0
1620947596.512498
CreateRemoteThread
thread_identifier: 2060
process_identifier: 2208
function_address: 0x007d0000
flags: 0
process_handle: 0x000000b4
parameter: 0x007c0000
stack_size: 0
success 212 0
1620947596.544498
CreateRemoteThread
thread_identifier: 2536
process_identifier: 2208
function_address: 0x00800000
flags: 0
process_handle: 0x000000b4
parameter: 0x007f0000
stack_size: 0
success 216 0
1620947596.544498
CreateRemoteThread
thread_identifier: 2528
process_identifier: 2208
function_address: 0x00840000
flags: 0
process_handle: 0x000000b4
parameter: 0x00830000
stack_size: 0
success 216 0
1620947596.544498
CreateRemoteThread
thread_identifier: 648
process_identifier: 2208
function_address: 0x00870000
flags: 0
process_handle: 0x000000b4
parameter: 0x00860000
stack_size: 0
success 220 0
1620947596.544498
CreateRemoteThread
thread_identifier: 1108
process_identifier: 2208
function_address: 0x008b0000
flags: 0
process_handle: 0x000000b4
parameter: 0x008a0000
stack_size: 0
success 220 0
1620947596.559498
CreateRemoteThread
thread_identifier: 2740
process_identifier: 2208
function_address: 0x00ba0000
flags: 0
process_handle: 0x000000b4
parameter: 0x00b90000
stack_size: 0
success 224 0
1620947596.575498
CreateRemoteThread
thread_identifier: 2116
process_identifier: 2208
function_address: 0x00be0000
flags: 0
process_handle: 0x000000b4
parameter: 0x00bd0000
stack_size: 0
success 224 0
1620947596.684498
CreateRemoteThread
thread_identifier: 1056
process_identifier: 2208
function_address: 0x01070000
flags: 0
process_handle: 0x000000b4
parameter: 0x00c60000
stack_size: 0
success 228 0
1620947596.684498
CreateRemoteThread
thread_identifier: 1712
process_identifier: 2208
function_address: 0x010f0000
flags: 0
process_handle: 0x000000b4
parameter: 0x010e0000
stack_size: 0
success 228 0
1620947596.778498
CreateRemoteThread
thread_identifier: 2040
process_identifier: 2208
function_address: 0x01120000
flags: 0
process_handle: 0x000000b4
parameter: 0x01110000
stack_size: 0
success 232 0
1620947596.778498
CreateRemoteThread
thread_identifier: 1688
process_identifier: 2208
function_address: 0x011a0000
flags: 0
process_handle: 0x000000b4
parameter: 0x01190000
stack_size: 0
success 232 0
1620947596.778498
CreateRemoteThread
thread_identifier: 3064
process_identifier: 2208
function_address: 0x011d0000
flags: 0
process_handle: 0x000000b4
parameter: 0x011c0000
stack_size: 0
success 236 0
1620947596.778498
CreateRemoteThread
thread_identifier: 1632
process_identifier: 2208
function_address: 0x01210000
flags: 0
process_handle: 0x000000b4
parameter: 0x01200000
stack_size: 0
success 236 0
1620947596.872498
CreateRemoteThread
thread_identifier: 2344
process_identifier: 2208
function_address: 0x01240000
flags: 0
process_handle: 0x000000b4
parameter: 0x01230000
stack_size: 0
success 240 0
1620947596.872498
CreateRemoteThread
thread_identifier: 2996
process_identifier: 2208
function_address: 0x01280000
flags: 0
process_handle: 0x000000b4
parameter: 0x01270000
stack_size: 0
success 240 0
1620947596.887498
CreateRemoteThread
thread_identifier: 2128
process_identifier: 2208
function_address: 0x012b0000
flags: 0
process_handle: 0x000000b4
parameter: 0x012a0000
stack_size: 0
success 244 0
1620947596.903498
CreateRemoteThread
thread_identifier: 2452
process_identifier: 2208
function_address: 0x01370000
flags: 0
process_handle: 0x000000b4
parameter: 0x01360000
stack_size: 0
success 244 0
1620947596.919498
CreateRemoteThread
thread_identifier: 2868
process_identifier: 2208
function_address: 0x013a0000
flags: 0
process_handle: 0x000000b4
parameter: 0x01390000
stack_size: 0
success 248 0
1620947596.919498
CreateRemoteThread
thread_identifier: 2288
process_identifier: 2208
function_address: 0x013e0000
flags: 0
process_handle: 0x000000b4
parameter: 0x013d0000
stack_size: 0
success 248 0
1620947596.966498
CreateRemoteThread
thread_identifier: 1752
process_identifier: 2208
function_address: 0x01410000
flags: 0
process_handle: 0x000000b4
parameter: 0x01400000
stack_size: 0
success 252 0
1620947596.981498
CreateRemoteThread
thread_identifier: 2428
process_identifier: 2208
function_address: 0x01450000
flags: 0
process_handle: 0x000000b4
parameter: 0x01440000
stack_size: 0
success 252 0
1620947597.137498
CreateRemoteThread
thread_identifier: 708
process_identifier: 2208
function_address: 0x014c0000
flags: 0
process_handle: 0x000000b4
parameter: 0x01470000
stack_size: 0
success 256 0
1620947597.169498
CreateRemoteThread
thread_identifier: 1320
process_identifier: 2208
function_address: 0x01540000
flags: 0
process_handle: 0x000000b4
parameter: 0x014f0000
stack_size: 0
success 256 0
1620947597.184498
CreateRemoteThread
thread_identifier: 1932
process_identifier: 2208
function_address: 0x01970000
flags: 0
process_handle: 0x000000b4
parameter: 0x01560000
stack_size: 0
success 260 0
1620947597.200498
CreateRemoteThread
thread_identifier: 1880
process_identifier: 2208
function_address: 0x019b0000
flags: 0
process_handle: 0x000000b4
parameter: 0x019a0000
stack_size: 0
success 260 0
1620947597.200498
CreateRemoteThread
thread_identifier: 1464
process_identifier: 2208
function_address: 0x019e0000
flags: 0
process_handle: 0x000000b4
parameter: 0x019d0000
stack_size: 0
success 264 0
1620947597.200498
CreateRemoteThread
thread_identifier: 1760
process_identifier: 2208
function_address: 0x01aa0000
flags: 0
process_handle: 0x000000b4
parameter: 0x01a50000
stack_size: 0
success 264 0
1620947597.216498
CreateRemoteThread
thread_identifier: 3076
process_identifier: 2208
function_address: 0x03240000
flags: 0
process_handle: 0x000000b4
parameter: 0x01ac0000
stack_size: 0
success 268 0
1620947597.216498
CreateRemoteThread
thread_identifier: 3080
process_identifier: 2208
function_address: 0x03280000
flags: 0
process_handle: 0x000000b4
parameter: 0x03270000
stack_size: 0
success 268 0
1620947597.231498
CreateRemoteThread
thread_identifier: 3084
process_identifier: 2208
function_address: 0x032b0000
flags: 0
process_handle: 0x000000b4
parameter: 0x032a0000
stack_size: 0
success 272 0
1620947597.247498
CreateRemoteThread
thread_identifier: 3088
process_identifier: 2208
function_address: 0x03770000
flags: 0
process_handle: 0x000000b4
parameter: 0x03760000
stack_size: 0
success 272 0
1620947597.356498
CreateRemoteThread
thread_identifier: 3092
process_identifier: 2208
function_address: 0x03b90000
flags: 0
process_handle: 0x000000b4
parameter: 0x03780000
stack_size: 0
success 276 0
Manipulates memory of a non-child process indicative of process injection (50 out of 132 个事件)
Process injection Process 2620 manipulating memory of non-child process 2208
Time & API Arguments Status Return Repeated
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 397312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001f0000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00200000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00610000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00620000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00670000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006c0000
success 0 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006d0000
success 0 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006e0000
success 0 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006f0000
success 0 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00700000
success 0 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00710000
success 0 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007a0000
success 0 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007b0000
success 0 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007c0000
success 0 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007d0000
success 0 0
1620947596.528498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007e0000
success 0 0
1620947596.528498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007f0000
success 0 0
1620947596.528498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00800000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00810000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00820000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00830000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00840000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00850000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00860000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00870000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00880000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00890000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008a0000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008b0000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x008c0000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00b90000
success 0 0
1620947596.544498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00ba0000
success 0 0
1620947596.559498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00bb0000
success 0 0
1620947596.559498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00bc0000
success 0 0
1620947596.559498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00bd0000
success 0 0
1620947596.559498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00be0000
success 0 0
1620947596.669498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c50000
success 0 0
1620947596.669498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00c60000
success 0 0
1620947596.669498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01070000
success 0 0
1620947596.684498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01080000
success 0 0
Potential code injection by writing to the memory of another process (50 out of 132 个事件)
Process injection Process 2620 injected into non-child 2208
Time & API Arguments Status Return Repeated
1620947594.529
WriteProcessMemory
process_identifier: 2620
buffer:
process_handle: 0x00000408
base_address: 0xfffde008
success 1 0
1620947596.325498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x000b0000
success 1 0
1620947596.325498
WriteProcessMemory
process_identifier: 2208
buffer: ×I5v ÿ5v
process_handle: 0x000000b4
base_address: 0x00100000
success 1 0
1620947596.325498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]@U‹ìƒÄðSV‰Uü‹ð‹Eüèßåÿÿ3ÀUhâ9 dÿ0d‰ 3Ûhô9 hü9 è€üÿÿPè’üÿÿ‰Eøh: hü9 èhüÿÿPèzüÿÿ‰Eð‹Eüè§åÿÿ‹Ð‹Æè2þÿÿ‰Eôj jMðº9 ‹ÆèÜþÿÿ…ÀtPènûÿÿ³3ÀZYYd‰hé9 EüèßàÿÿÃ
process_handle: 0x000000b4
base_address: 0x00110000
success 1 0
1620947596.372498
WriteProcessMemory
process_identifier: 2208
buffer: LoadLibraryA
process_handle: 0x000000b4
base_address: 0x00120000
success 1 0
1620947596.372498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x00130000
success 1 0
1620947596.372498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5v
process_handle: 0x000000b4
base_address: 0x00140000
success 1 0
1620947596.372498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x00150000
success 1 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: GetProcAddress
process_handle: 0x000000b4
base_address: 0x001d0000
success 1 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x001f0000
success 1 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5v
process_handle: 0x000000b4
base_address: 0x00200000
success 1 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x00610000
success 1 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: VirtualProtect
process_handle: 0x000000b4
base_address: 0x00620000
success 1 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x00670000
success 1 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5vgb
process_handle: 0x000000b4
base_address: 0x006c0000
success 1 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x006d0000
success 1 0
1620947596.497498
WriteProcessMemory
process_identifier: 2208
buffer: VirtualAlloc
process_handle: 0x000000b4
base_address: 0x006e0000
success 1 0
1620947596.497498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x006f0000
success 1 0
1620947596.497498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5von
process_handle: 0x000000b4
base_address: 0x00700000
success 1 0
1620947596.497498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x00710000
success 1 0
1620947596.512498
WriteProcessMemory
process_identifier: 2208
buffer: VirtualFree
process_handle: 0x000000b4
base_address: 0x007a0000
success 1 0
1620947596.512498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x007b0000
success 1 0
1620947596.512498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5v{z
process_handle: 0x000000b4
base_address: 0x007c0000
success 1 0
1620947596.512498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x007d0000
success 1 0
1620947596.528498
WriteProcessMemory
process_identifier: 2208
buffer: advapi32.dll
process_handle: 0x000000b4
base_address: 0x007e0000
success 1 0
1620947596.528498
WriteProcessMemory
process_identifier: 2208
buffer: ×I5v~ÿ5v
process_handle: 0x000000b4
base_address: 0x007f0000
success 1 0
1620947596.528498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]@U‹ìƒÄðSV‰Uü‹ð‹Eüèßåÿÿ3ÀUhâ9 dÿ0d‰ 3Ûhô9 hü9 è€üÿÿPè’üÿÿ‰Eøh: hü9 èhüÿÿPèzüÿÿ‰Eð‹Eüè§åÿÿ‹Ð‹Æè2þÿÿ‰Eôj jMðº9 ‹ÆèÜþÿÿ…ÀtPènûÿÿ³3ÀZYYd‰hé9 EüèßàÿÿÃ
process_handle: 0x000000b4
base_address: 0x00800000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: RegOpenKeyA
process_handle: 0x000000b4
base_address: 0x00810000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: advapi32.dll
process_handle: 0x000000b4
base_address: 0x00820000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5v‚
process_handle: 0x000000b4
base_address: 0x00830000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x00840000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: AVICAP32.DLL
process_handle: 0x000000b4
base_address: 0x00850000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: ×I5v…ÿ5v
process_handle: 0x000000b4
base_address: 0x00860000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]@U‹ìƒÄðSV‰Uü‹ð‹Eüèßåÿÿ3ÀUhâ9 dÿ0d‰ 3Ûhô9 hü9 è€üÿÿPè’üÿÿ‰Eøh: hü9 èhüÿÿPèzüÿÿ‰Eð‹Eüè§åÿÿ‹Ð‹Æè2þÿÿ‰Eôj jMðº9 ‹ÆèÜþÿÿ…ÀtPènûÿÿ³3ÀZYYd‰hé9 EüèßàÿÿÃ
process_handle: 0x000000b4
base_address: 0x00870000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: capCreateCaptureWindowA
process_handle: 0x000000b4
base_address: 0x00880000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: AVICAP32.DLL
process_handle: 0x000000b4
base_address: 0x00890000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5v‰ˆ
process_handle: 0x000000b4
base_address: 0x008a0000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x008b0000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: gdi32.dll
process_handle: 0x000000b4
base_address: 0x008c0000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: ×I5vŒÿ5v
process_handle: 0x000000b4
base_address: 0x00b90000
success 1 0
1620947596.544498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]@U‹ìƒÄðSV‰Uü‹ð‹Eüèßåÿÿ3ÀUhâ9 dÿ0d‰ 3Ûhô9 hü9 è€üÿÿPè’üÿÿ‰Eøh: hü9 èhüÿÿPèzüÿÿ‰Eð‹Eüè§åÿÿ‹Ð‹Æè2þÿÿ‰Eôj jMðº9 ‹ÆèÜþÿÿ…ÀtPènûÿÿ³3ÀZYYd‰hé9 EüèßàÿÿÃ
process_handle: 0x000000b4
base_address: 0x00ba0000
success 1 0
1620947596.559498
WriteProcessMemory
process_identifier: 2208
buffer: BitBlt
process_handle: 0x000000b4
base_address: 0x00bb0000
success 1 0
1620947596.559498
WriteProcessMemory
process_identifier: 2208
buffer: gdi32.dll
process_handle: 0x000000b4
base_address: 0x00bc0000
success 1 0
1620947596.559498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5v¼»
process_handle: 0x000000b4
base_address: 0x00bd0000
success 1 0
1620947596.559498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x00be0000
success 1 0
1620947596.669498
WriteProcessMemory
process_identifier: 2208
buffer: gdiplus.dll
process_handle: 0x000000b4
base_address: 0x00c50000
success 1 0
1620947596.669498
WriteProcessMemory
process_identifier: 2208
buffer: ×I5vÅÿ5v
process_handle: 0x000000b4
base_address: 0x00c60000
success 1 0
1620947596.669498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]@U‹ìƒÄðSV‰Uü‹ð‹Eüèßåÿÿ3ÀUhâ9 dÿ0d‰ 3Ûhô9 hü9 è€üÿÿPè’üÿÿ‰Eøh: hü9 èhüÿÿPèzüÿÿ‰Eð‹Eüè§åÿÿ‹Ð‹Æè2þÿÿ‰Eôj jMðº9 ‹ÆèÜþÿÿ…ÀtPènûÿÿ³3ÀZYYd‰hé9 EüèßàÿÿÃ
process_handle: 0x000000b4
base_address: 0x01070000
success 1 0
1620947596.684498
WriteProcessMemory
process_identifier: 2208
buffer: GdipFree
process_handle: 0x000000b4
base_address: 0x01080000
success 1 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620947591.685
RegSetValueExA
key_handle: 0x0000039c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620947591.685
RegSetValueExA
key_handle: 0x0000039c
value: Pû~)EH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620947591.685
RegSetValueExA
key_handle: 0x0000039c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620947591.685
RegSetValueExW
key_handle: 0x0000039c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620947591.685
RegSetValueExA
key_handle: 0x000003b4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620947591.701
RegSetValueExA
key_handle: 0x000003b4
value: Pû~)EH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620947591.701
RegSetValueExA
key_handle: 0x000003b4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620947591.732
RegSetValueExW
key_handle: 0x00000398
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 2120 called NtSetContextThread to modify thread in remote process 2620
Time & API Arguments Status Return Repeated
1620947594.529
NtSetContextThread
thread_handle: 0x00000404
registers.eip: 2010382788
registers.esp: 6355284
registers.edi: 0
registers.eax: 768972
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 2620
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2120 resumed a thread in remote process 2620
Time & API Arguments Status Return Repeated
1620947594.888
NtResumeThread
thread_handle: 0x00000404
suspend_count: 1
process_identifier: 2620
success 0 0
Creates known SpyNet files, registry changes and/or mutexes. (3 个事件)
mutex _x_X_PASSWORDLIST_X_x_
mutex _x_X_BLOCKMOUSE_X_x_
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\XX--XX--XX.txt
Executed a process and injected code into it, probably while unpacking (50 out of 272 个事件)
Time & API Arguments Status Return Repeated
1620947588.638
CreateProcessInternalW
thread_identifier: 2264
thread_handle: 0x000002a8
process_identifier: 2772
current_directory:
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\WININET.dll",DispatchAPICall 1
filepath_r: C:\Windows\system32\rundll32.exe
stack_pivoted: 0
creation_flags: 0 ()
process_handle: 0x000002ac
inherit_handles: 0
success 1 0
1620947594.513
CreateProcessInternalW
thread_identifier: 2456
thread_handle: 0x00000404
process_identifier: 2620
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7cd651329281022f1754aa0160acfa1b.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7cd651329281022f1754aa0160acfa1b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000408
inherit_handles: 0
success 1 0
1620947594.513
NtGetContextThread
thread_handle: 0x00000404
success 0 0
1620947594.513
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000408
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1620947594.513
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000408
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620947594.513
WriteProcessMemory
process_identifier: 2620
buffer:
process_handle: 0x00000408
base_address: 0x000b0000
success 1 0
1620947594.529
WriteProcessMemory
process_identifier: 2620
buffer:
process_handle: 0x00000408
base_address: 0xfffde008
success 1 0
1620947594.529
NtSetContextThread
thread_handle: 0x00000404
registers.eip: 2010382788
registers.esp: 6355284
registers.edi: 0
registers.eax: 768972
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 2620
success 0 0
1620947594.888
NtResumeThread
thread_handle: 0x00000404
suspend_count: 1
process_identifier: 2620
success 0 0
1620947596.325498
CreateProcessInternalW
thread_identifier: 2668
thread_handle: 0x000000b0
process_identifier: 2208
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7cd651329281022f1754aa0160acfa1b.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7cd651329281022f1754aa0160acfa1b.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000000b4
inherit_handles: 0
success 1 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 397312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x10410000
success 0 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x000b0000
success 0 0
1620947596.325498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x000b0000
success 1 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00100000
success 0 0
1620947596.325498
WriteProcessMemory
process_identifier: 2208
buffer: ×I5v ÿ5v
process_handle: 0x000000b4
base_address: 0x00100000
success 1 0
1620947596.325498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00110000
success 0 0
1620947596.325498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]@U‹ìƒÄðSV‰Uü‹ð‹Eüèßåÿÿ3ÀUhâ9 dÿ0d‰ 3Ûhô9 hü9 è€üÿÿPè’üÿÿ‰Eøh: hü9 èhüÿÿPèzüÿÿ‰Eð‹Eüè§åÿÿ‹Ð‹Æè2þÿÿ‰Eôj jMðº9 ‹ÆèÜþÿÿ…ÀtPènûÿÿ³3ÀZYYd‰hé9 EüèßàÿÿÃ
process_handle: 0x000000b4
base_address: 0x00110000
success 1 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00120000
success 0 0
1620947596.372498
WriteProcessMemory
process_identifier: 2208
buffer: LoadLibraryA
process_handle: 0x000000b4
base_address: 0x00120000
success 1 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1620947596.372498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x00130000
success 1 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1620947596.372498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5v
process_handle: 0x000000b4
base_address: 0x00140000
success 1 0
1620947596.372498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1620947596.372498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x00150000
success 1 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001d0000
success 0 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: GetProcAddress
process_handle: 0x000000b4
base_address: 0x001d0000
success 1 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x001f0000
success 0 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x001f0000
success 1 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00200000
success 0 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5v
process_handle: 0x000000b4
base_address: 0x00200000
success 1 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00610000
success 0 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x00610000
success 1 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00620000
success 0 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: VirtualProtect
process_handle: 0x000000b4
base_address: 0x00620000
success 1 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00670000
success 0 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x00670000
success 1 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006c0000
success 0 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5vgb
process_handle: 0x000000b4
base_address: 0x006c0000
success 1 0
1620947596.481498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006d0000
success 0 0
1620947596.481498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x006d0000
success 1 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006e0000
success 0 0
1620947596.497498
WriteProcessMemory
process_identifier: 2208
buffer: VirtualAlloc
process_handle: 0x000000b4
base_address: 0x006e0000
success 1 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006f0000
success 0 0
1620947596.497498
WriteProcessMemory
process_identifier: 2208
buffer: KERNEL32.DLL
process_handle: 0x000000b4
base_address: 0x006f0000
success 1 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00700000
success 0 0
1620947596.497498
WriteProcessMemory
process_identifier: 2208
buffer: ˜ÕØw"5vE5von
process_handle: 0x000000b4
base_address: 0x00700000
success 1 0
1620947596.497498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00710000
success 0 0
1620947596.497498
WriteProcessMemory
process_identifier: 2208
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWUƒÄè‹é‹ú‹Ø3öhô: h; è’ûÿÿPè¤ûÿÿ‰D$ h; h; èyûÿÿPè‹ûÿÿ‰D$h$; h; è`ûÿÿPèrûÿÿ‰D$‹Õ‹Ã
process_handle: 0x000000b4
base_address: 0x00710000
success 1 0
1620947596.512498
NtAllocateVirtualMemory
process_identifier: 2208
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000000b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007a0000
success 0 0
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.32034803
FireEye Generic.mg.7cd651329281022f
Qihoo-360 Win32/Trojan.079
McAfee Artemis!7CD651329281
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0054cf4a1 )
Alibaba VirTool:Win32/AutInject.21d271cb
K7GW Trojan ( 0054cf4a1 )
Cybereason malicious.292810
Arcabit Trojan.Generic.D1E8CFF3
BitDefenderTheta AI:Packer.427ADA5817
Cyren W32/AutoIt.LN.gen!Eldorado
Symantec Packed.Generic.548
APEX Malicious
Avast AutoIt:Injector-JF [Trj]
Kaspersky HEUR:Trojan.Win32.AutoIt.gen
BitDefender Trojan.GenericKD.32034803
NANO-Antivirus Trojan.Win32.Mlw.fpttyq
Paloalto generic.ml
Tencent Win32.Trojan.Autoit.Amcs
Ad-Aware Trojan.GenericKD.32034803
Sophos Mal/Generic-S + Mal/AuItInj-A
Comodo Malware@#vuyeln97calu
F-Secure Heuristic.HEUR/AGEN.1100084
DrWeb Trojan.DownLoader27.61825
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.AutoIt.CRYPTINJECT.SMA
McAfee-GW-Edition BehavesLike.Win32.TrojanAitInject.th
Emsisoft Trojan.GenericKD.32034803 (B)
Avira HEUR/AGEN.1100084
MAX malware (ai score=80)
Antiy-AVL GrayWare/Autoit.ShellCode.a
Microsoft Worm:Win32/Rebhip
AegisLab Hacktool.Win32.Gamehack.3!e
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Trojan.GenericKD.32034803
Cynet Malicious (score: 100)
AhnLab-V3 Win-Trojan/AutoInj.Exp
VBA32 Trojan.Downloader
Malwarebytes Generic.Malware/Suspicious
ESET-NOD32 a variant of Win32/Packed.AutoIt.PC
TrendMicro-HouseCall Trojan.AutoIt.CRYPTINJECT.SMA
Ikarus Trojan.Autoit
eGambit Unsafe.AI_Score_93%
Fortinet AutoIt/Injector.DWD!tr
AVG AutoIt:Injector-JF [Trj]
Panda Trj/CI.A
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-04-27 19:25:52

Imports

Library WSOCK32.dll:
0x48f7c8 WSACleanup
0x48f7cc socket
0x48f7d0 inet_ntoa
0x48f7d4 setsockopt
0x48f7d8 ntohs
0x48f7dc recvfrom
0x48f7e0 ioctlsocket
0x48f7e4 htons
0x48f7e8 WSAStartup
0x48f7ec __WSAFDIsSet
0x48f7f0 select
0x48f7f4 accept
0x48f7f8 listen
0x48f7fc bind
0x48f800 closesocket
0x48f804 WSAGetLastError
0x48f808 recv
0x48f80c sendto
0x48f810 send
0x48f814 inet_addr
0x48f818 gethostbyname
0x48f81c gethostname
0x48f820 connect
Library VERSION.dll:
0x48f76c GetFileVersionInfoW
0x48f774 VerQueryValueW
Library WINMM.dll:
0x48f7b8 timeGetTime
0x48f7bc waveOutSetVolume
0x48f7c0 mciSendStringW
Library COMCTL32.dll:
0x48f08c ImageList_Destroy
0x48f090 ImageList_Remove
0x48f098 ImageList_BeginDrag
0x48f09c ImageList_DragEnter
0x48f0a0 ImageList_DragLeave
0x48f0a4 ImageList_EndDrag
0x48f0a8 ImageList_DragMove
0x48f0b0 ImageList_Create
Library MPR.dll:
0x48f3f8 WNetUseConnectionW
0x48f400 WNetGetConnectionW
0x48f404 WNetAddConnection2W
Library WININET.dll:
0x48f780 InternetCloseHandle
0x48f784 InternetOpenW
0x48f788 InternetSetOptionW
0x48f78c InternetCrackUrlW
0x48f790 HttpQueryInfoW
0x48f798 HttpOpenRequestW
0x48f79c HttpSendRequestW
0x48f7a0 FtpOpenFileW
0x48f7a4 FtpGetFileSize
0x48f7a8 InternetOpenUrlW
0x48f7ac InternetReadFile
0x48f7b0 InternetConnectW
Library PSAPI.DLL:
Library IPHLPAPI.DLL:
0x48f154 IcmpCreateFile
0x48f158 IcmpCloseHandle
0x48f15c IcmpSendEcho
Library USERENV.dll:
0x48f754 UnloadUserProfile
0x48f75c LoadUserProfileW
Library UxTheme.dll:
0x48f764 IsThemeActive
Library KERNEL32.dll:
0x48f164 DuplicateHandle
0x48f168 CreateThread
0x48f16c WaitForSingleObject
0x48f170 HeapAlloc
0x48f174 GetProcessHeap
0x48f178 HeapFree
0x48f17c Sleep
0x48f180 GetCurrentThreadId
0x48f184 MultiByteToWideChar
0x48f188 MulDiv
0x48f18c GetVersionExW
0x48f190 IsWow64Process
0x48f194 GetSystemInfo
0x48f198 FreeLibrary
0x48f19c LoadLibraryA
0x48f1a0 GetProcAddress
0x48f1a4 SetErrorMode
0x48f1a8 GetModuleFileNameW
0x48f1ac WideCharToMultiByte
0x48f1b0 lstrcpyW
0x48f1b4 lstrlenW
0x48f1b8 GetModuleHandleW
0x48f1c0 VirtualFreeEx
0x48f1c4 OpenProcess
0x48f1c8 VirtualAllocEx
0x48f1cc WriteProcessMemory
0x48f1d0 ReadProcessMemory
0x48f1d4 CreateFileW
0x48f1d8 SetFilePointerEx
0x48f1dc SetEndOfFile
0x48f1e0 ReadFile
0x48f1e4 WriteFile
0x48f1e8 FlushFileBuffers
0x48f1ec TerminateProcess
0x48f1f4 Process32FirstW
0x48f1f8 Process32NextW
0x48f1fc SetFileTime
0x48f200 GetFileAttributesW
0x48f204 FindFirstFileW
0x48f20c GetLongPathNameW
0x48f210 GetShortPathNameW
0x48f214 DeleteFileW
0x48f218 FindNextFileW
0x48f21c CopyFileExW
0x48f220 MoveFileW
0x48f224 CreateDirectoryW
0x48f228 RemoveDirectoryW
0x48f22c SetSystemPowerState
0x48f234 FindResourceW
0x48f238 LoadResource
0x48f23c LockResource
0x48f240 SizeofResource
0x48f244 EnumResourceNamesW
0x48f248 OutputDebugStringW
0x48f24c GetTempPathW
0x48f250 GetTempFileNameW
0x48f254 DeviceIoControl
0x48f258 GetLocalTime
0x48f25c CompareStringW
0x48f260 GetCurrentProcess
0x48f26c GetStdHandle
0x48f270 CreatePipe
0x48f274 InterlockedExchange
0x48f278 TerminateThread
0x48f27c LoadLibraryExW
0x48f280 FindResourceExW
0x48f284 CopyFileW
0x48f288 VirtualFree
0x48f28c FormatMessageW
0x48f290 GetExitCodeProcess
0x48f2b8 GetDriveTypeW
0x48f2bc GetDiskFreeSpaceExW
0x48f2c0 GetDiskFreeSpaceW
0x48f2c8 SetVolumeLabelW
0x48f2cc CreateHardLinkW
0x48f2d0 SetFileAttributesW
0x48f2d4 CreateEventW
0x48f2d8 SetEvent
0x48f2e4 GlobalLock
0x48f2e8 GlobalUnlock
0x48f2ec GlobalAlloc
0x48f2f0 GetFileSize
0x48f2f4 GlobalFree
0x48f2fc Beep
0x48f300 GetSystemDirectoryW
0x48f304 HeapReAlloc
0x48f308 HeapSize
0x48f30c GetComputerNameW
0x48f314 GetCurrentProcessId
0x48f31c CreateProcessW
0x48f320 GetProcessId
0x48f324 SetPriorityClass
0x48f328 LoadLibraryW
0x48f32c VirtualAlloc
0x48f330 IsDebuggerPresent
0x48f338 lstrcmpiW
0x48f33c DecodePointer
0x48f340 GetLastError
0x48f344 RaiseException
0x48f358 GetCurrentThread
0x48f35c CloseHandle
0x48f360 GetFullPathNameW
0x48f364 EncodePointer
0x48f368 ExitProcess
0x48f36c GetModuleHandleExW
0x48f370 ExitThread
0x48f378 ResumeThread
0x48f37c GetCommandLineW
0x48f384 IsValidCodePage
0x48f388 GetACP
0x48f38c GetOEMCP
0x48f390 GetCPInfo
0x48f394 SetLastError
0x48f3a0 TlsAlloc
0x48f3a4 TlsGetValue
0x48f3a8 TlsSetValue
0x48f3ac TlsFree
0x48f3b0 GetStartupInfoW
0x48f3b4 GetStringTypeW
0x48f3b8 SetStdHandle
0x48f3bc GetFileType
0x48f3c0 GetConsoleCP
0x48f3c4 GetConsoleMode
0x48f3c8 RtlUnwind
0x48f3cc ReadConsoleW
0x48f3d4 GetDateFormatW
0x48f3d8 GetTimeFormatW
0x48f3dc LCMapStringW
0x48f3e8 WriteConsoleW
0x48f3ec FindClose
Library USER32.dll:
0x48f4cc AdjustWindowRectEx
0x48f4d0 CopyImage
0x48f4d4 SetWindowPos
0x48f4d8 GetCursorInfo
0x48f4dc RegisterHotKey
0x48f4e0 ClientToScreen
0x48f4e8 IsCharAlphaW
0x48f4ec IsCharAlphaNumericW
0x48f4f0 IsCharLowerW
0x48f4f4 IsCharUpperW
0x48f4f8 GetMenuStringW
0x48f4fc GetSubMenu
0x48f500 GetCaretPos
0x48f504 IsZoomed
0x48f508 MonitorFromPoint
0x48f50c GetMonitorInfoW
0x48f510 SetWindowLongW
0x48f518 FlashWindow
0x48f51c GetClassLongW
0x48f524 IsDialogMessageW
0x48f528 GetSysColor
0x48f52c InflateRect
0x48f530 DrawFocusRect
0x48f534 DrawTextW
0x48f538 FrameRect
0x48f53c DrawFrameControl
0x48f540 FillRect
0x48f544 PtInRect
0x48f550 SetCursor
0x48f554 GetWindowDC
0x48f558 GetSystemMetrics
0x48f55c GetActiveWindow
0x48f560 CharNextW
0x48f564 wsprintfW
0x48f568 RedrawWindow
0x48f56c DrawMenuBar
0x48f570 DestroyMenu
0x48f574 SetMenu
0x48f57c CreateMenu
0x48f580 IsDlgButtonChecked
0x48f584 DefDlgProcW
0x48f588 CallWindowProcW
0x48f58c ReleaseCapture
0x48f590 SetCapture
0x48f598 mouse_event
0x48f59c ExitWindowsEx
0x48f5a0 SetActiveWindow
0x48f5a4 FindWindowExW
0x48f5a8 EnumThreadWindows
0x48f5ac SetMenuDefaultItem
0x48f5b0 InsertMenuItemW
0x48f5b4 IsMenu
0x48f5b8 TrackPopupMenuEx
0x48f5bc GetCursorPos
0x48f5c0 DeleteMenu
0x48f5c4 SetRect
0x48f5c8 GetMenuItemID
0x48f5cc GetMenuItemCount
0x48f5d0 SetMenuItemInfoW
0x48f5d4 GetMenuItemInfoW
0x48f5d8 SetForegroundWindow
0x48f5dc IsIconic
0x48f5e0 FindWindowW
0x48f5e4 MonitorFromRect
0x48f5e8 keybd_event
0x48f5ec SendInput
0x48f5f0 GetAsyncKeyState
0x48f5f4 SetKeyboardState
0x48f5f8 GetKeyboardState
0x48f5fc GetKeyState
0x48f600 VkKeyScanW
0x48f604 LoadStringW
0x48f608 DialogBoxParamW
0x48f60c MessageBeep
0x48f610 EndDialog
0x48f614 SendDlgItemMessageW
0x48f618 GetDlgItem
0x48f61c SetWindowTextW
0x48f620 CopyRect
0x48f624 ReleaseDC
0x48f628 GetDC
0x48f62c EndPaint
0x48f630 BeginPaint
0x48f634 GetClientRect
0x48f638 GetMenu
0x48f63c DestroyWindow
0x48f640 EnumWindows
0x48f644 GetDesktopWindow
0x48f648 IsWindow
0x48f64c IsWindowEnabled
0x48f650 IsWindowVisible
0x48f654 EnableWindow
0x48f658 InvalidateRect
0x48f65c GetWindowLongW
0x48f664 AttachThreadInput
0x48f668 GetFocus
0x48f66c GetWindowTextW
0x48f670 ScreenToClient
0x48f674 SendMessageTimeoutW
0x48f678 EnumChildWindows
0x48f67c CharUpperBuffW
0x48f680 GetParent
0x48f684 GetDlgCtrlID
0x48f688 SendMessageW
0x48f68c MapVirtualKeyW
0x48f690 PostMessageW
0x48f694 GetWindowRect
0x48f69c CloseDesktop
0x48f6a0 CloseWindowStation
0x48f6a4 OpenDesktopW
0x48f6b0 OpenWindowStationW
0x48f6b8 MessageBoxW
0x48f6bc DefWindowProcW
0x48f6c0 SetClipboardData
0x48f6c4 EmptyClipboard
0x48f6cc CloseClipboard
0x48f6d0 GetClipboardData
0x48f6d8 OpenClipboard
0x48f6dc BlockInput
0x48f6e0 GetMessageW
0x48f6e4 LockWindowUpdate
0x48f6e8 DispatchMessageW
0x48f6ec TranslateMessage
0x48f6f0 PeekMessageW
0x48f6f4 UnregisterHotKey
0x48f6f8 CheckMenuRadioItem
0x48f6fc CharLowerBuffW
0x48f700 MoveWindow
0x48f704 SetFocus
0x48f708 PostQuitMessage
0x48f70c KillTimer
0x48f710 CreatePopupMenu
0x48f718 SetTimer
0x48f71c ShowWindow
0x48f720 CreateWindowExW
0x48f724 RegisterClassExW
0x48f728 LoadIconW
0x48f72c LoadCursorW
0x48f730 GetSysColorBrush
0x48f734 GetForegroundWindow
0x48f738 MessageBoxA
0x48f73c DestroyIcon
0x48f744 LoadImageW
0x48f748 GetClassNameW
Library GDI32.dll:
0x48f0c4 StrokePath
0x48f0c8 DeleteObject
0x48f0d0 ExtCreatePen
0x48f0d4 GetDeviceCaps
0x48f0d8 EndPath
0x48f0dc SetPixel
0x48f0e0 CloseFigure
0x48f0e8 CreateCompatibleDC
0x48f0ec SelectObject
0x48f0f0 StretchBlt
0x48f0f4 GetDIBits
0x48f0f8 LineTo
0x48f0fc AngleArc
0x48f100 MoveToEx
0x48f104 Ellipse
0x48f108 DeleteDC
0x48f10c GetPixel
0x48f110 CreateDCW
0x48f114 GetStockObject
0x48f118 GetTextFaceW
0x48f11c CreateFontW
0x48f120 SetTextColor
0x48f124 PolyDraw
0x48f128 BeginPath
0x48f12c Rectangle
0x48f130 SetViewportOrgEx
0x48f134 GetObjectW
0x48f138 SetBkMode
0x48f13c RoundRect
0x48f140 SetBkColor
0x48f144 CreatePen
0x48f148 CreateSolidBrush
0x48f14c StrokeAndFillPath
Library COMDLG32.dll:
0x48f0b8 GetOpenFileNameW
0x48f0bc GetSaveFileNameW
Library ADVAPI32.dll:
0x48f000 GetAce
0x48f004 RegEnumValueW
0x48f008 RegDeleteValueW
0x48f00c RegDeleteKeyW
0x48f010 RegEnumKeyExW
0x48f014 RegSetValueExW
0x48f018 RegOpenKeyExW
0x48f01c RegCloseKey
0x48f020 RegQueryValueExW
0x48f024 RegConnectRegistryW
0x48f02c InitializeAcl
0x48f034 OpenThreadToken
0x48f038 OpenProcessToken
0x48f040 DuplicateTokenEx
0x48f04c GetLengthSid
0x48f050 CopySid
0x48f054 LogonUserW
0x48f060 RegCreateKeyExW
0x48f064 FreeSid
0x48f068 GetTokenInformation
0x48f070 GetAclInformation
0x48f074 AddAce
0x48f07c GetUserNameW
Library SHELL32.dll:
0x48f48c DragQueryPoint
0x48f490 ShellExecuteExW
0x48f494 DragQueryFileW
0x48f498 SHEmptyRecycleBinW
0x48f4a0 SHBrowseForFolderW
0x48f4a4 SHCreateShellItem
0x48f4a8 SHGetDesktopFolder
0x48f4b0 SHGetFolderPathW
0x48f4b4 SHFileOperationW
0x48f4b8 ExtractIconExW
0x48f4bc Shell_NotifyIconW
0x48f4c0 ShellExecuteW
0x48f4c4 DragFinish
Library ole32.dll:
0x48f828 CoTaskMemAlloc
0x48f82c CoTaskMemFree
0x48f830 CLSIDFromString
0x48f834 ProgIDFromCLSID
0x48f838 CLSIDFromProgID
0x48f840 MkParseDisplayName
0x48f848 CoCreateInstance
0x48f84c IIDFromString
0x48f850 StringFromGUID2
0x48f858 OleInitialize
0x48f85c OleUninitialize
0x48f860 CoInitialize
0x48f864 CoUninitialize
0x48f870 CoGetObject
0x48f874 CoSetProxyBlanket
0x48f878 CoCreateInstanceEx
Library OLEAUT32.dll:
0x48f40c LoadTypeLibEx
0x48f410 VariantCopyInd
0x48f414 SysReAllocString
0x48f418 SysFreeString
0x48f428 SafeArrayAccessData
0x48f42c SafeArrayAllocData
0x48f438 RegisterTypeLib
0x48f43c CreateStdDispatch
0x48f440 DispCallFunc
0x48f444 VariantChangeType
0x48f448 SysStringLen
0x48f450 VarR8FromDec
0x48f454 SafeArrayGetVartype
0x48f458 VariantCopy
0x48f45c VariantClear
0x48f460 OleLoadPicture
0x48f470 UnRegisterTypeLib
0x48f474 CreateDispTypeInfo
0x48f478 SysAllocString
0x48f47c VariantInit

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.