11.2
0-day
49 个模型检测该样本为恶意!
重新分析
更多

5e2ff37b8f894bb49e33a7dbfa804ea5561cb8acc7cbf95ed4b56d230b8cd148

c991a7cf31980ad30387a80723b2cd97.exe

分析耗时

80s

最近分析

文件大小

755.1KB
静态报毒 动态报毒 AI SCORE=84 ARTEMIS CONFIDENCE DAPATO ELDORADO F0D1C00HU20 FAREIT GENERICKD HIGH CONFIDENCE HTONJW LQQ86RYQHFS NETWIRE NONAME@0 OFFNW QVM06 R049C0PI220 SCORE SIGGEN10 TAER UNSAFE XKSFQR0TFKS YMACCO 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Ymacco.973b8549 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200916 18.4.3895.0
Tencent Win32.Trojan.Netwire.Taer 20200916 1.0.0.1
Kingsoft 20200916 2013.8.14.323
McAfee Artemis!C991A7CF3198 20200915 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1619929021.8435
NtAllocateVirtualMemory
process_identifier: 3084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005f0000
success 0 0
1619929047.1405
NtAllocateVirtualMemory
process_identifier: 3084
region_size: 106496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x50480000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Rwkunet.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Rwkutoc.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Rwkunet.exe
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619929039.7335
NtProtectVirtualMemory
process_identifier: 3084
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 36864
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x02081000
success 0 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619929054.8905
NtTerminateProcess
status_code: 0x00000000
process_identifier: 4040
process_handle: 0x0000042c
failed 0 0
1619929054.8905
NtTerminateProcess
status_code: 0x00000000
process_identifier: 4040
process_handle: 0x0000042c
success 0 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline C:\Program Files (x86)\internet explorer\ieinstal.exe
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 7592729492033ec4f0ed15c30fccd9d31d7f8f4f
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (50 out of 475 个事件)
Time & API Arguments Status Return Repeated
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 106496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x50480000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00010000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00020000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00160000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00170000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00230000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00250000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00260000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00270000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00280000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002c0000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002d0000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002e0000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002f0000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00300000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00360000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00370000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00380000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00390000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00420000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00430000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00440000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00450000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00460000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00470000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00480000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00490000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004c0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004d0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00510000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00520000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005b0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005c0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005d0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005e0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005f0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00600000
success 0 0
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rwku reg_value C:\Users\Administrator.Oskar-PC\AppData\Local\Rwku.url
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 122 个事件)
Process injection Process 3084 created a remote thread in non-child process 3440
Time & API Arguments Status Return Repeated
1619929049.3905
CreateRemoteThread
thread_identifier: 3480
process_identifier: 3440
function_address: 0x00150000
flags: 0
process_handle: 0x00000260
parameter: 0x00140000
stack_size: 0
success 616 0
1619929049.3905
CreateRemoteThread
thread_identifier: 3484
process_identifier: 3440
function_address: 0x00170000
flags: 0
process_handle: 0x00000260
parameter: 0x00160000
stack_size: 0
success 616 0
1619929049.4525
CreateRemoteThread
thread_identifier: 3488
process_identifier: 3440
function_address: 0x00270000
flags: 0
process_handle: 0x00000260
parameter: 0x00260000
stack_size: 0
success 612 0
1619929049.4525
CreateRemoteThread
thread_identifier: 3492
process_identifier: 3440
function_address: 0x002e0000
flags: 0
process_handle: 0x00000260
parameter: 0x002d0000
stack_size: 0
success 620 0
1619929049.4685
CreateRemoteThread
thread_identifier: 3496
process_identifier: 3440
function_address: 0x00360000
flags: 0
process_handle: 0x00000260
parameter: 0x00350000
stack_size: 0
success 624 0
1619929049.4685
CreateRemoteThread
thread_identifier: 3500
process_identifier: 3440
function_address: 0x003a0000
flags: 0
process_handle: 0x00000260
parameter: 0x00390000
stack_size: 0
success 628 0
1619929049.4685
CreateRemoteThread
thread_identifier: 3504
process_identifier: 3440
function_address: 0x00420000
flags: 0
process_handle: 0x00000260
parameter: 0x003d0000
stack_size: 0
success 632 0
1619929049.4685
CreateRemoteThread
thread_identifier: 3508
process_identifier: 3440
function_address: 0x00460000
flags: 0
process_handle: 0x00000260
parameter: 0x00450000
stack_size: 0
success 636 0
1619929049.4685
CreateRemoteThread
thread_identifier: 3512
process_identifier: 3440
function_address: 0x004a0000
flags: 0
process_handle: 0x00000260
parameter: 0x00490000
stack_size: 0
success 640 0
1619929049.4835
CreateRemoteThread
thread_identifier: 3516
process_identifier: 3440
function_address: 0x004e0000
flags: 0
process_handle: 0x00000260
parameter: 0x004d0000
stack_size: 0
success 644 0
1619929049.4835
CreateRemoteThread
thread_identifier: 3520
process_identifier: 3440
function_address: 0x00520000
flags: 0
process_handle: 0x00000260
parameter: 0x00510000
stack_size: 0
success 648 0
1619929049.4835
CreateRemoteThread
thread_identifier: 3524
process_identifier: 3440
function_address: 0x005e0000
flags: 0
process_handle: 0x00000260
parameter: 0x005d0000
stack_size: 0
success 652 0
1619929049.4835
CreateRemoteThread
thread_identifier: 3528
process_identifier: 3440
function_address: 0x00620000
flags: 0
process_handle: 0x00000260
parameter: 0x00610000
stack_size: 0
success 656 0
1619929049.4835
CreateRemoteThread
thread_identifier: 3532
process_identifier: 3440
function_address: 0x00660000
flags: 0
process_handle: 0x00000260
parameter: 0x00650000
stack_size: 0
success 660 0
1619929049.4835
CreateRemoteThread
thread_identifier: 3536
process_identifier: 3440
function_address: 0x006a0000
flags: 0
process_handle: 0x00000260
parameter: 0x00690000
stack_size: 0
success 664 0
1619929049.4835
CreateRemoteThread
thread_identifier: 3540
process_identifier: 3440
function_address: 0x007e0000
flags: 0
process_handle: 0x00000260
parameter: 0x007d0000
stack_size: 0
success 668 0
1619929049.4835
CreateRemoteThread
thread_identifier: 3544
process_identifier: 3440
function_address: 0x00820000
flags: 0
process_handle: 0x00000260
parameter: 0x00810000
stack_size: 0
success 672 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3548
process_identifier: 3440
function_address: 0x00860000
flags: 0
process_handle: 0x00000260
parameter: 0x00850000
stack_size: 0
success 676 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3552
process_identifier: 3440
function_address: 0x008a0000
flags: 0
process_handle: 0x00000260
parameter: 0x00890000
stack_size: 0
success 680 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3556
process_identifier: 3440
function_address: 0x008e0000
flags: 0
process_handle: 0x00000260
parameter: 0x008d0000
stack_size: 0
success 684 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3560
process_identifier: 3440
function_address: 0x023f0000
flags: 0
process_handle: 0x00000260
parameter: 0x00910000
stack_size: 0
success 688 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3564
process_identifier: 3440
function_address: 0x02430000
flags: 0
process_handle: 0x00000260
parameter: 0x02420000
stack_size: 0
success 692 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3568
process_identifier: 3440
function_address: 0x02470000
flags: 0
process_handle: 0x00000260
parameter: 0x02460000
stack_size: 0
success 696 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3572
process_identifier: 3440
function_address: 0x024b0000
flags: 0
process_handle: 0x00000260
parameter: 0x024a0000
stack_size: 0
success 700 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3576
process_identifier: 3440
function_address: 0x024f0000
flags: 0
process_handle: 0x00000260
parameter: 0x024e0000
stack_size: 0
success 704 0
1619929049.4995
CreateRemoteThread
thread_identifier: 3580
process_identifier: 3440
function_address: 0x02530000
flags: 0
process_handle: 0x00000260
parameter: 0x02520000
stack_size: 0
success 708 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3584
process_identifier: 3440
function_address: 0x02570000
flags: 0
process_handle: 0x00000260
parameter: 0x02560000
stack_size: 0
success 712 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3588
process_identifier: 3440
function_address: 0x025b0000
flags: 0
process_handle: 0x00000260
parameter: 0x025a0000
stack_size: 0
success 716 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3592
process_identifier: 3440
function_address: 0x02600000
flags: 0
process_handle: 0x00000260
parameter: 0x025f0000
stack_size: 0
success 720 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3596
process_identifier: 3440
function_address: 0x02640000
flags: 0
process_handle: 0x00000260
parameter: 0x02630000
stack_size: 0
success 724 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3600
process_identifier: 3440
function_address: 0x02680000
flags: 0
process_handle: 0x00000260
parameter: 0x02670000
stack_size: 0
success 728 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3604
process_identifier: 3440
function_address: 0x026c0000
flags: 0
process_handle: 0x00000260
parameter: 0x026b0000
stack_size: 0
success 732 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3608
process_identifier: 3440
function_address: 0x02700000
flags: 0
process_handle: 0x00000260
parameter: 0x026f0000
stack_size: 0
success 736 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3612
process_identifier: 3440
function_address: 0x02740000
flags: 0
process_handle: 0x00000260
parameter: 0x02730000
stack_size: 0
success 740 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3616
process_identifier: 3440
function_address: 0x02780000
flags: 0
process_handle: 0x00000260
parameter: 0x02770000
stack_size: 0
success 744 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3620
process_identifier: 3440
function_address: 0x027c0000
flags: 0
process_handle: 0x00000260
parameter: 0x027b0000
stack_size: 0
success 748 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3624
process_identifier: 3440
function_address: 0x02800000
flags: 0
process_handle: 0x00000260
parameter: 0x027f0000
stack_size: 0
success 752 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3628
process_identifier: 3440
function_address: 0x02840000
flags: 0
process_handle: 0x00000260
parameter: 0x02830000
stack_size: 0
success 756 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3632
process_identifier: 3440
function_address: 0x02880000
flags: 0
process_handle: 0x00000260
parameter: 0x02870000
stack_size: 0
success 760 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3636
process_identifier: 3440
function_address: 0x028c0000
flags: 0
process_handle: 0x00000260
parameter: 0x028b0000
stack_size: 0
success 764 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3640
process_identifier: 3440
function_address: 0x02900000
flags: 0
process_handle: 0x00000260
parameter: 0x028f0000
stack_size: 0
success 768 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3644
process_identifier: 3440
function_address: 0x02940000
flags: 0
process_handle: 0x00000260
parameter: 0x02930000
stack_size: 0
success 772 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3648
process_identifier: 3440
function_address: 0x02980000
flags: 0
process_handle: 0x00000260
parameter: 0x02970000
stack_size: 0
success 776 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3652
process_identifier: 3440
function_address: 0x029b0000
flags: 0
process_handle: 0x00000260
parameter: 0x029a0000
stack_size: 0
success 780 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3656
process_identifier: 3440
function_address: 0x029f0000
flags: 0
process_handle: 0x00000260
parameter: 0x029e0000
stack_size: 0
success 780 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3660
process_identifier: 3440
function_address: 0x02a30000
flags: 0
process_handle: 0x00000260
parameter: 0x02a20000
stack_size: 0
success 784 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3664
process_identifier: 3440
function_address: 0x02a70000
flags: 0
process_handle: 0x00000260
parameter: 0x02a60000
stack_size: 0
success 788 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3668
process_identifier: 3440
function_address: 0x02ab0000
flags: 0
process_handle: 0x00000260
parameter: 0x02aa0000
stack_size: 0
success 792 0
1619929049.5155
CreateRemoteThread
thread_identifier: 3672
process_identifier: 3440
function_address: 0x02ae0000
flags: 0
process_handle: 0x00000260
parameter: 0x02ad0000
stack_size: 0
success 796 0
Manipulates memory of a non-child process indicative of process injection (50 out of 477 个事件)
Process injection Process 3084 manipulating memory of non-child process 3440
Time & API Arguments Status Return Repeated
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 106496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x50480000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00010000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00020000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00160000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00170000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00230000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00250000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00260000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00270000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00280000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002c0000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002d0000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002e0000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002f0000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00300000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00360000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00370000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00380000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00390000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003b0000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00420000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00430000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00440000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00450000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00460000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00470000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00480000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00490000
success 0 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004a0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004c0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004d0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004e0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004f0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00510000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00520000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005b0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005c0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005d0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005e0000
success 0 0
1619929049.4835
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005f0000
success 0 0
Potential code injection by writing to the memory of another process (50 out of 474 个事件)
Process injection Process 3084 injected into non-child 3440
Time & API Arguments Status Return Repeated
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00130000
success 1 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: ×I5vÿ5v
process_handle: 0x00000260
base_address: 0x00140000
success 1 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]@U‹ìƒÄðSV‰Uü‹ð‹Eüè³øþÿ3ÀUhšPmdÿ0d‰ 3Ûh¬Pmh´PmèàÿÿPèâÿÿ‰EøhÀPmh´PmèÈÿÿPèÊÿÿ‰Eð‹Eüè{øþÿ‹Ð‹Æèþÿÿ‰Eôj jMðºÈOm‹ÆèÔþÿÿ…ÀtPè®ÿÿ³3ÀZYYd‰h¡PmEüèŸóþÿÃ
process_handle: 0x00000260
base_address: 0x00150000
success 1 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: DeleteCriticalSection
process_handle: 0x00000260
base_address: 0x00010000
success 1 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00020000
success 1 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000260
base_address: 0x00160000
success 1 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00170000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: LeaveCriticalSection
process_handle: 0x00000260
base_address: 0x00230000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00250000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v%#
process_handle: 0x00000260
base_address: 0x00260000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00270000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: EnterCriticalSection
process_handle: 0x00000260
base_address: 0x00280000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x002c0000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v,(
process_handle: 0x00000260
base_address: 0x002d0000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x002e0000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: InitializeCriticalSection
process_handle: 0x00000260
base_address: 0x002f0000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00300000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v0/
process_handle: 0x00000260
base_address: 0x00350000
success 1 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00360000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: VirtualFree
process_handle: 0x00000260
base_address: 0x00370000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00380000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v87
process_handle: 0x00000260
base_address: 0x00390000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x003a0000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: VirtualAlloc
process_handle: 0x00000260
base_address: 0x003b0000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x003c0000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v<;
process_handle: 0x00000260
base_address: 0x003d0000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00420000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: LocalFree
process_handle: 0x00000260
base_address: 0x00430000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00440000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5vDC
process_handle: 0x00000260
base_address: 0x00450000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00460000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: LocalAlloc
process_handle: 0x00000260
base_address: 0x00470000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00480000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5vHG
process_handle: 0x00000260
base_address: 0x00490000
success 1 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x004a0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: GetVersion
process_handle: 0x00000260
base_address: 0x004b0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x004c0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5vLK
process_handle: 0x00000260
base_address: 0x004d0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x004e0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: GetCurrentThreadId
process_handle: 0x00000260
base_address: 0x004f0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00500000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5vPO
process_handle: 0x00000260
base_address: 0x00510000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00520000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: InterlockedDecrement
process_handle: 0x00000260
base_address: 0x005b0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x005c0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v\[
process_handle: 0x00000260
base_address: 0x005d0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x005e0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: InterlockedIncrement
process_handle: 0x00000260
base_address: 0x005f0000
success 1 0
1619929049.4835
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00600000
success 1 0
Executed a process and injected code into it, probably while unpacking (50 out of 954 个事件)
Time & API Arguments Status Return Repeated
1619929020.46875
CreateProcessInternalW
thread_identifier: 3088
thread_handle: 0x00000244
process_identifier: 3084
current_directory: C:\Users\ADMINI~1.OSK\AppData\Local\Temp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Rwkutoc.exe
track: 1
command_line: "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\Rwkutoc.exe"
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\Rwkutoc.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000002c8
inherit_handles: 0
success 1 0
1619929039.2025
NtResumeThread
thread_handle: 0x00000154
suspend_count: 1
process_identifier: 3084
success 0 0
1619929047.3905
CreateProcessInternalW
thread_identifier: 3444
thread_handle: 0x0000025c
process_identifier: 3440
current_directory:
filepath: C:\Windows\System32\notepad.exe
track: 1
command_line:
filepath_r: C:\Windows\System32\Notepad.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00000260
inherit_handles: 0
success 1 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 106496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x50480000
success 0 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00130000
success 0 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00130000
success 1 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00140000
success 0 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: ×I5vÿ5v
process_handle: 0x00000260
base_address: 0x00140000
success 1 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00150000
success 0 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄô‹E‹‰Uô‹P‰Uø‹P‰UüÿuøÿUô¸ÿÿÿÿPÿUüëõ‹å]@U‹ìƒÄðSV‰Uü‹ð‹Eüè³øþÿ3ÀUhšPmdÿ0d‰ 3Ûh¬Pmh´PmèàÿÿPèâÿÿ‰EøhÀPmh´PmèÈÿÿPèÊÿÿ‰Eð‹Eüè{øþÿ‹Ð‹Æèþÿÿ‰Eôj jMðºÈOm‹ÆèÔþÿÿ…ÀtPè®ÿÿ³3ÀZYYd‰h¡PmEüèŸóþÿÃ
process_handle: 0x00000260
base_address: 0x00150000
success 1 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00010000
success 0 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: DeleteCriticalSection
process_handle: 0x00000260
base_address: 0x00010000
success 1 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00020000
success 0 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00020000
success 1 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00160000
success 0 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v
process_handle: 0x00000260
base_address: 0x00160000
success 1 0
1619929049.3905
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00170000
success 0 0
1619929049.3905
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00170000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00230000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: LeaveCriticalSection
process_handle: 0x00000260
base_address: 0x00230000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00250000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00250000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00260000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v%#
process_handle: 0x00000260
base_address: 0x00260000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00270000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00270000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00280000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: EnterCriticalSection
process_handle: 0x00000260
base_address: 0x00280000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002c0000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x002c0000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002d0000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v,(
process_handle: 0x00000260
base_address: 0x002d0000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002e0000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x002e0000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x002f0000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: InitializeCriticalSection
process_handle: 0x00000260
base_address: 0x002f0000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00300000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00300000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v0/
process_handle: 0x00000260
base_address: 0x00350000
success 1 0
1619929049.4525
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00360000
success 0 0
1619929049.4525
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x00360000
success 1 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00370000
success 0 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: VirtualFree
process_handle: 0x00000260
base_address: 0x00370000
success 1 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00380000
success 0 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: kernel32.dll
process_handle: 0x00000260
base_address: 0x00380000
success 1 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00390000
success 0 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: ˜ÕØw"5vE5v87
process_handle: 0x00000260
base_address: 0x00390000
success 1 0
1619929049.4685
NtAllocateVirtualMemory
process_identifier: 3440
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00000260
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003a0000
success 0 0
1619929049.4685
WriteProcessMemory
process_identifier: 3440
buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀSVWƒÄä‹ù‹ò‹Ø3À‰$h´QmhÈQmèðÿÿPèòÿÿ‰D$hÔQmhÈQmè×ÿÿPèÙÿÿ‰D$ häQmhÈQmè¾ÿÿPèÀÿÿ‰D$‹×‹Ã
process_handle: 0x00000260
base_address: 0x003a0000
success 1 0
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43768516
CAT-QuickHeal Trojan.Netwire
ALYac Trojan.GenericKD.43768516
Cylance Unsafe
K7AntiVirus Trojan ( 004aee531 )
Alibaba Trojan:Win32/Ymacco.973b8549
K7GW Trojan ( 004aee531 )
Cybereason malicious.8d74fc
Arcabit Trojan.Generic.D29BDAC4
TrendMicro TROJ_GEN.R049C0PI220
Cyren W32/S-5f21cf29!Eldorado
Symantec Trojan.Gen.MBT
TrendMicro-HouseCall TROJ_GEN.F0D1C00HU20
Paloalto generic.ml
Cynet Malicious (score: 85)
Kaspersky HEUR:Trojan.Win32.NetWire.gen
BitDefender Trojan.GenericKD.43768516
NANO-Antivirus Trojan.Win32.NetWire.htonjw
Avast Win32:Malware-gen
Tencent Win32.Trojan.Netwire.Taer
Ad-Aware Trojan.GenericKD.43768516
Comodo fls.noname@0
F-Secure Trojan.TR/Injector.offnw
DrWeb Trojan.Siggen10.10217
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-S
FireEye Generic.mg.c991a7cf31980ad3
Sophos Mal/Generic-S
APEX Malicious
Avira TR/Injector.offnw
MAX malware (ai score=84)
Antiy-AVL Trojan/Win32.NetWire
Microsoft Trojan:Win32/Ymacco.AA5E
ZoneAlarm HEUR:Trojan.Win32.NetWire.gen
GData Trojan.GenericKD.43768516
McAfee Artemis!C991A7CF3198
VBA32 Trojan.NetWire
Malwarebytes Trojan.MalPack.DLF
Zoner Trojan.Win32.93030
ESET-NOD32 Win32/PSW.Fareit.L
Rising Trojan.NetWire!8.FAFE (TFE:5:lQQ86RyqhfS)
Yandex Trojan.Injector!XksFQR0TFks
Ikarus Trojan.SuspectCRC
Fortinet W32/Dapato!tr
AVG Win32:Malware-gen
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 Generic/HEUR/QVM06.3.9A8F.Malware.Gen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2018-04-11 21:09:41

Imports

Library KERNEL32.dll:
0x430000 GetLastError
0x430004 SetLastError
0x430008 GetCurrentProcess
0x43000c DeviceIoControl
0x430010 SetFileTime
0x430014 CloseHandle
0x430018 CreateDirectoryW
0x43001c RemoveDirectoryW
0x430020 CreateFileW
0x430024 DeleteFileW
0x430028 CreateHardLinkW
0x43002c GetShortPathNameW
0x430030 GetLongPathNameW
0x430034 MoveFileW
0x430038 GetFileType
0x43003c GetStdHandle
0x430040 WriteFile
0x430044 ReadFile
0x430048 FlushFileBuffers
0x43004c SetEndOfFile
0x430050 SetFilePointer
0x430054 SetFileAttributesW
0x430058 GetFileAttributesW
0x43005c FindClose
0x430060 FindFirstFileW
0x430064 FindNextFileW
0x430068 GetVersionExW
0x430070 GetFullPathNameW
0x430074 FoldStringW
0x430078 GetModuleFileNameW
0x43007c GetModuleHandleW
0x430080 FindResourceW
0x430084 FreeLibrary
0x430088 GetProcAddress
0x43008c GetCurrentProcessId
0x430090 ExitProcess
0x430098 Sleep
0x43009c LoadLibraryW
0x4300a0 GetSystemDirectoryW
0x4300a4 CompareStringW
0x4300a8 AllocConsole
0x4300ac FreeConsole
0x4300b0 AttachConsole
0x4300b4 WriteConsoleW
0x4300bc CreateThread
0x4300c0 SetThreadPriority
0x4300d4 SetEvent
0x4300d8 ResetEvent
0x4300dc ReleaseSemaphore
0x4300e0 WaitForSingleObject
0x4300e4 CreateEventW
0x4300e8 CreateSemaphoreW
0x4300ec GetSystemTime
0x430108 GetCPInfo
0x43010c IsDBCSLeadByte
0x430110 MultiByteToWideChar
0x430114 WideCharToMultiByte
0x430118 GlobalAlloc
0x43011c GetTickCount
0x430120 LockResource
0x430124 GlobalLock
0x430128 GlobalUnlock
0x43012c GlobalFree
0x430130 LoadResource
0x430134 SizeofResource
0x43013c GetExitCodeProcess
0x430140 GetLocalTime
0x430144 MapViewOfFile
0x430148 UnmapViewOfFile
0x43014c CreateFileMappingW
0x430150 OpenFileMappingW
0x430154 GetCommandLineW
0x430160 GetTempPathW
0x430164 MoveFileExW
0x430168 GetLocaleInfoW
0x43016c GetTimeFormatW
0x430170 GetDateFormatW
0x430174 GetNumberFormatW
0x430178 SetFilePointerEx
0x43017c GetConsoleMode
0x430180 GetConsoleCP
0x430184 HeapSize
0x430188 SetStdHandle
0x43018c GetProcessHeap
0x430190 RaiseException
0x430194 GetSystemInfo
0x430198 VirtualProtect
0x43019c VirtualQuery
0x4301a0 LoadLibraryExA
0x4301a8 IsDebuggerPresent
0x4301b4 GetStartupInfoW
0x4301bc GetCurrentThreadId
0x4301c4 InitializeSListHead
0x4301c8 TerminateProcess
0x4301cc RtlUnwind
0x4301d0 EncodePointer
0x4301d8 TlsAlloc
0x4301dc TlsGetValue
0x4301e0 TlsSetValue
0x4301e4 TlsFree
0x4301e8 LoadLibraryExW
0x4301f0 GetModuleHandleExW
0x4301f4 GetModuleFileNameA
0x4301f8 GetACP
0x4301fc HeapFree
0x430200 HeapAlloc
0x430204 HeapReAlloc
0x430208 GetStringTypeW
0x43020c LCMapStringW
0x430210 FindFirstFileExA
0x430214 FindNextFileA
0x430218 IsValidCodePage
0x43021c GetOEMCP
0x430220 GetCommandLineA
0x43022c DecodePointer
Library gdiplus.dll:
0x430234 GdiplusShutdown
0x430238 GdiplusStartup
0x430248 GdipDisposeImage
0x43024c GdipCloneImage
0x430250 GdipFree
0x430254 GdipAlloc

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 61680 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 49236 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.