SmartHawk

8.8

极危

57 个模型检测该样本为恶意！

重新分析

下载样本

178d42beb97c29b2c1e2ee08ac527d454e234c183ef03a29c357856443f9191b

da70f0ef4c938ad70d451582d391f1a4.exe

分析耗时

79s

最近分析

文件大小

1.2MB

静态报毒动态报毒 AI SCORE=86 AIDETECTVM ANDROM AVYN BIFROSE BTU4OY CLASSIC CONFIDENCE CRYPTINJECTOR DELF DOWNLOADER33 EMMN FAREIT FORMBOOK GENERICKD GENKRYPTIK HIGH CONFIDENCE HLEXDO HUHB IGENT KRYPTIK MALWARE1 MALWARE@#2HMT4PS2O7KXX MALWAREX MHW@A4P6JWPI OLGJM SCORE STATIC AI SUSPICIOUS PE TSCOPE UNSAFE WSTK ZELPHICO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FUL!DA70F0EF4C93	20201211	6.0.6.653
Baidu		20190318	1.0.0.2
Avast	Win32:MalwareX-gen [Trj]	20201210	21.1.5827.0
Alibaba	Backdoor:Win32/CryptInjector.006baeb8	20190527	0.3.0.5
Tencent	Win32.Backdoor.Androm.Wstk	20201211	1.0.0.1
Kingsoft		20201211	2017.9.26.565
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 个事件)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948416.001205 NtAllocateVirtualMemory	process_identifier: 2740 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x003a0000	success	0	0
1619948416.829205 NtAllocateVirtualMemory	process_identifier: 2740 region_size: 450560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x10410000	success	0	0

Downloads a file or document from Google Drive (1 个事件)

domain

drive.google.com

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948418.704205 NtProtectVirtualMemory	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 380928 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x10411000	success	0	0

One or more of the buffers contains an embedded PE file (1 个事件)

buffer

Buffer with sha1: 8505d943f7034f8386421dbb8b150cb8a0bbf573

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (50 out of 1693 个事件)

Time & API	Arguments	Status
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 450560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x10410000	success
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x001f0000	success
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00200000	success
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00210000	success
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00360000	success
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00370000	success
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00380000	success
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00390000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003b0000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003c0000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003d0000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00540000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00550000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00560000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00570000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00580000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00590000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005a0000	success
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005b0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005c0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005d0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005e0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005f0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00600000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00610000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00620000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00630000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006c0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006d0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006e0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006f0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00710000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00720000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00730000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007c0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007d0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007e0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007f0000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00800000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00810000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00820000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00830000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00840000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00850000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00860000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00870000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00880000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00890000	success
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x008a0000	success

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (50 out of 429 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2740 created a remote thread in non-child process 2284
1619948416.907205 CreateRemoteThread	thread_identifier: 2468 process_identifier: 2284 function_address: 0x00210000 flags: 0 process_handle: 0x0000023c parameter: 0x00200000 stack_size: 0	success	580	0
1619948416.907205 CreateRemoteThread	thread_identifier: 2528 process_identifier: 2284 function_address: 0x00390000 flags: 0 process_handle: 0x0000023c parameter: 0x00380000 stack_size: 0	success	580	0
1619948416.938205 CreateRemoteThread	thread_identifier: 1632 process_identifier: 2284 function_address: 0x003d0000 flags: 0 process_handle: 0x0000023c parameter: 0x003c0000 stack_size: 0	success	576	0
1619948416.938205 CreateRemoteThread	thread_identifier: 1704 process_identifier: 2284 function_address: 0x00570000 flags: 0 process_handle: 0x0000023c parameter: 0x00560000 stack_size: 0	success	592	0
1619948416.938205 CreateRemoteThread	thread_identifier: 1404 process_identifier: 2284 function_address: 0x005b0000 flags: 0 process_handle: 0x0000023c parameter: 0x005a0000 stack_size: 0	success	596	0
1619948416.954205 CreateRemoteThread	thread_identifier: 3004 process_identifier: 2284 function_address: 0x005f0000 flags: 0 process_handle: 0x0000023c parameter: 0x005e0000 stack_size: 0	success	600	0
1619948416.954205 CreateRemoteThread	thread_identifier: 1108 process_identifier: 2284 function_address: 0x00630000 flags: 0 process_handle: 0x0000023c parameter: 0x00620000 stack_size: 0	success	604	0
1619948416.954205 CreateRemoteThread	thread_identifier: 2732 process_identifier: 2284 function_address: 0x006f0000 flags: 0 process_handle: 0x0000023c parameter: 0x006e0000 stack_size: 0	success	608	0
1619948416.954205 CreateRemoteThread	thread_identifier: 944 process_identifier: 2284 function_address: 0x007c0000 flags: 0 process_handle: 0x0000023c parameter: 0x00730000 stack_size: 0	success	612	0
1619948416.954205 CreateRemoteThread	thread_identifier: 1060 process_identifier: 2284 function_address: 0x00800000 flags: 0 process_handle: 0x0000023c parameter: 0x007f0000 stack_size: 0	success	616	0
1619948416.954205 CreateRemoteThread	thread_identifier: 520 process_identifier: 2284 function_address: 0x00840000 flags: 0 process_handle: 0x0000023c parameter: 0x00830000 stack_size: 0	success	620	0
1619948416.954205 CreateRemoteThread	thread_identifier: 2296 process_identifier: 2284 function_address: 0x00880000 flags: 0 process_handle: 0x0000023c parameter: 0x00870000 stack_size: 0	success	624	0
1619948416.954205 CreateRemoteThread	thread_identifier: 360 process_identifier: 2284 function_address: 0x020e0000 flags: 0 process_handle: 0x0000023c parameter: 0x008b0000 stack_size: 0	success	628	0
1619948416.954205 CreateRemoteThread	thread_identifier: 196 process_identifier: 2284 function_address: 0x02120000 flags: 0 process_handle: 0x0000023c parameter: 0x02110000 stack_size: 0	success	632	0
1619948416.954205 CreateRemoteThread	thread_identifier: 2404 process_identifier: 2284 function_address: 0x02160000 flags: 0 process_handle: 0x0000023c parameter: 0x02150000 stack_size: 0	success	636	0
1619948416.969205 CreateRemoteThread	thread_identifier: 2252 process_identifier: 2284 function_address: 0x021a0000 flags: 0 process_handle: 0x0000023c parameter: 0x02190000 stack_size: 0	success	640	0
1619948416.969205 CreateRemoteThread	thread_identifier: 2456 process_identifier: 2284 function_address: 0x021e0000 flags: 0 process_handle: 0x0000023c parameter: 0x021d0000 stack_size: 0	success	644	0
1619948416.969205 CreateRemoteThread	thread_identifier: 2236 process_identifier: 2284 function_address: 0x02220000 flags: 0 process_handle: 0x0000023c parameter: 0x02210000 stack_size: 0	success	648	0
1619948416.969205 CreateRemoteThread	thread_identifier: 3076 process_identifier: 2284 function_address: 0x02260000 flags: 0 process_handle: 0x0000023c parameter: 0x02250000 stack_size: 0	success	652	0
1619948416.969205 CreateRemoteThread	thread_identifier: 3080 process_identifier: 2284 function_address: 0x022a0000 flags: 0 process_handle: 0x0000023c parameter: 0x02290000 stack_size: 0	success	656	0
1619948416.985205 CreateRemoteThread	thread_identifier: 3084 process_identifier: 2284 function_address: 0x022e0000 flags: 0 process_handle: 0x0000023c parameter: 0x022d0000 stack_size: 0	success	660	0
1619948416.985205 CreateRemoteThread	thread_identifier: 3088 process_identifier: 2284 function_address: 0x02320000 flags: 0 process_handle: 0x0000023c parameter: 0x02310000 stack_size: 0	success	664	0
1619948417.001205 CreateRemoteThread	thread_identifier: 3092 process_identifier: 2284 function_address: 0x02360000 flags: 0 process_handle: 0x0000023c parameter: 0x02350000 stack_size: 0	success	668	0
1619948417.016205 CreateRemoteThread	thread_identifier: 3096 process_identifier: 2284 function_address: 0x023a0000 flags: 0 process_handle: 0x0000023c parameter: 0x02390000 stack_size: 0	success	672	0
1619948417.016205 CreateRemoteThread	thread_identifier: 3100 process_identifier: 2284 function_address: 0x023e0000 flags: 0 process_handle: 0x0000023c parameter: 0x023d0000 stack_size: 0	success	676	0
1619948417.016205 CreateRemoteThread	thread_identifier: 3104 process_identifier: 2284 function_address: 0x02420000 flags: 0 process_handle: 0x0000023c parameter: 0x02410000 stack_size: 0	success	680	0
1619948417.016205 CreateRemoteThread	thread_identifier: 3108 process_identifier: 2284 function_address: 0x02460000 flags: 0 process_handle: 0x0000023c parameter: 0x02450000 stack_size: 0	success	684	0
1619948417.032205 CreateRemoteThread	thread_identifier: 3112 process_identifier: 2284 function_address: 0x024a0000 flags: 0 process_handle: 0x0000023c parameter: 0x02490000 stack_size: 0	success	688	0
1619948417.032205 CreateRemoteThread	thread_identifier: 3116 process_identifier: 2284 function_address: 0x024e0000 flags: 0 process_handle: 0x0000023c parameter: 0x024d0000 stack_size: 0	success	692	0
1619948417.047205 CreateRemoteThread	thread_identifier: 3120 process_identifier: 2284 function_address: 0x02520000 flags: 0 process_handle: 0x0000023c parameter: 0x02510000 stack_size: 0	success	696	0
1619948417.047205 CreateRemoteThread	thread_identifier: 3124 process_identifier: 2284 function_address: 0x02560000 flags: 0 process_handle: 0x0000023c parameter: 0x02550000 stack_size: 0	success	700	0
1619948417.047205 CreateRemoteThread	thread_identifier: 3128 process_identifier: 2284 function_address: 0x025a0000 flags: 0 process_handle: 0x0000023c parameter: 0x02590000 stack_size: 0	success	704	0
1619948417.047205 CreateRemoteThread	thread_identifier: 3132 process_identifier: 2284 function_address: 0x025e0000 flags: 0 process_handle: 0x0000023c parameter: 0x025d0000 stack_size: 0	success	708	0
1619948417.047205 CreateRemoteThread	thread_identifier: 3136 process_identifier: 2284 function_address: 0x02620000 flags: 0 process_handle: 0x0000023c parameter: 0x02610000 stack_size: 0	success	712	0
1619948417.047205 CreateRemoteThread	thread_identifier: 3140 process_identifier: 2284 function_address: 0x02660000 flags: 0 process_handle: 0x0000023c parameter: 0x02650000 stack_size: 0	success	716	0
1619948417.047205 CreateRemoteThread	thread_identifier: 3144 process_identifier: 2284 function_address: 0x026a0000 flags: 0 process_handle: 0x0000023c parameter: 0x02690000 stack_size: 0	success	720	0
1619948417.063205 CreateRemoteThread	thread_identifier: 3148 process_identifier: 2284 function_address: 0x026e0000 flags: 0 process_handle: 0x0000023c parameter: 0x026d0000 stack_size: 0	success	724	0
1619948417.063205 CreateRemoteThread	thread_identifier: 3152 process_identifier: 2284 function_address: 0x02720000 flags: 0 process_handle: 0x0000023c parameter: 0x02710000 stack_size: 0	success	728	0
1619948417.063205 CreateRemoteThread	thread_identifier: 3160 process_identifier: 2284 function_address: 0x02760000 flags: 0 process_handle: 0x0000023c parameter: 0x02750000 stack_size: 0	success	732	0
1619948417.063205 CreateRemoteThread	thread_identifier: 3164 process_identifier: 2284 function_address: 0x027a0000 flags: 0 process_handle: 0x0000023c parameter: 0x02790000 stack_size: 0	success	736	0
1619948417.063205 CreateRemoteThread	thread_identifier: 3168 process_identifier: 2284 function_address: 0x027e0000 flags: 0 process_handle: 0x0000023c parameter: 0x027d0000 stack_size: 0	success	740	0
1619948417.079205 CreateRemoteThread	thread_identifier: 3172 process_identifier: 2284 function_address: 0x02820000 flags: 0 process_handle: 0x0000023c parameter: 0x02810000 stack_size: 0	success	744	0
1619948417.079205 CreateRemoteThread	thread_identifier: 3176 process_identifier: 2284 function_address: 0x02860000 flags: 0 process_handle: 0x0000023c parameter: 0x02850000 stack_size: 0	success	748	0
1619948417.079205 CreateRemoteThread	thread_identifier: 3180 process_identifier: 2284 function_address: 0x02890000 flags: 0 process_handle: 0x0000023c parameter: 0x02880000 stack_size: 0	success	752	0
1619948417.079205 CreateRemoteThread	thread_identifier: 3184 process_identifier: 2284 function_address: 0x02a10000 flags: 0 process_handle: 0x0000023c parameter: 0x02a00000 stack_size: 0	success	752	0
1619948417.079205 CreateRemoteThread	thread_identifier: 3188 process_identifier: 2284 function_address: 0x02a50000 flags: 0 process_handle: 0x0000023c parameter: 0x02a40000 stack_size: 0	success	756	0
1619948417.094205 CreateRemoteThread	thread_identifier: 3192 process_identifier: 2284 function_address: 0x02a90000 flags: 0 process_handle: 0x0000023c parameter: 0x02a80000 stack_size: 0	success	760	0
1619948417.094205 CreateRemoteThread	thread_identifier: 3196 process_identifier: 2284 function_address: 0x02ad0000 flags: 0 process_handle: 0x0000023c parameter: 0x02ac0000 stack_size: 0	success	764	0
1619948417.094205 CreateRemoteThread	thread_identifier: 3200 process_identifier: 2284 function_address: 0x02b00000 flags: 0 process_handle: 0x0000023c parameter: 0x02af0000 stack_size: 0	success	768	0

Manipulates memory of a non-child process indicative of process injection (50 out of 1694 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2740 manipulating memory of non-child process 2284
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 450560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x10410000	success	0	0
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x001f0000	success	0	0
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00200000	success	0	0
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00210000	success	0	0
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00360000	success	0	0
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00370000	success	0	0
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00380000	success	0	0
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00390000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003b0000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003c0000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003d0000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00540000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00550000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00560000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00570000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00580000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00590000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005a0000	success	0	0
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005b0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005c0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005d0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005e0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005f0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00600000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00610000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00620000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00630000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006c0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006d0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006e0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x006f0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00710000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00720000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00730000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007c0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007d0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007e0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x007f0000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00800000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00810000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00820000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00830000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00840000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00850000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00860000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00870000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00880000	success	0	0
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00890000	success	0	0

Potential code injection by writing to the memory of another process (50 out of 1693 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2740 injected into non-child 2284
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x001f0000	success	1	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: ×I5vÿ5v process_handle: 0x0000023c base_address: 0x00200000	success	1	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄôEUôPUøPUüÿuøÿUô¸ÿÿÿÿPÿUüëõå]Â@UìÄðSVUüðEüè÷ÿ3ÀUhòIIdÿ0d 3ÛhJIhJIè$÷ÿPè$÷ÿEøhJIhJIè$÷ÿPè$÷ÿEðEüè_÷ÿÐÆèþÿÿEôjjMðº IIÆèÔþÿÿÀtPèæ"÷ÿ³3ÀZYYdhùIIEüè_ûöÿÃ process_handle: 0x0000023c base_address: 0x00210000	success	1	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: DeleteCriticalSection process_handle: 0x0000023c base_address: 0x00360000	success	1	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00370000	success	1	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v76 process_handle: 0x0000023c base_address: 0x00380000	success	1	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x00390000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: LeaveCriticalSection process_handle: 0x0000023c base_address: 0x003a0000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x003b0000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v;: process_handle: 0x0000023c base_address: 0x003c0000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x003d0000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: EnterCriticalSection process_handle: 0x0000023c base_address: 0x00540000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00550000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5vUT process_handle: 0x0000023c base_address: 0x00560000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x00570000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: InitializeCriticalSection process_handle: 0x0000023c base_address: 0x00580000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00590000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5vYX process_handle: 0x0000023c base_address: 0x005a0000	success	1	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x005b0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: VirtualFree process_handle: 0x0000023c base_address: 0x005c0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x005d0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v]\ process_handle: 0x0000023c base_address: 0x005e0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x005f0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: VirtualAlloc process_handle: 0x0000023c base_address: 0x00600000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00610000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5va` process_handle: 0x0000023c base_address: 0x00620000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x00630000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: LocalFree process_handle: 0x0000023c base_address: 0x006c0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x006d0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5vml process_handle: 0x0000023c base_address: 0x006e0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x006f0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: LocalAlloc process_handle: 0x0000023c base_address: 0x00710000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00720000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5vrq process_handle: 0x0000023c base_address: 0x00730000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x007c0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: GetVersion process_handle: 0x0000023c base_address: 0x007d0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x007e0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v~} process_handle: 0x0000023c base_address: 0x007f0000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x00800000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: GetCurrentThreadId process_handle: 0x0000023c base_address: 0x00810000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00820000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v process_handle: 0x0000023c base_address: 0x00830000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x00840000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: InterlockedDecrement process_handle: 0x0000023c base_address: 0x00850000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00860000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v process_handle: 0x0000023c base_address: 0x00870000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x00880000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: InterlockedIncrement process_handle: 0x0000023c base_address: 0x00890000	success	1	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x008a0000	success	1	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

69.171.244.15:443

Executed a process and injected code into it, probably while unpacking (50 out of 3388 个事件)

Time & API	Arguments	Status	Return
1619948416.688205 NtResumeThread	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2740	success	0
1619948416.907205 CreateProcessInternalW	thread_identifier: 1544 thread_handle: 0x00000238 process_identifier: 2284 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da70f0ef4c938ad70d451582d391f1a4.exe track: 1 command_line: filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\da70f0ef4c938ad70d451582d391f1a4.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x0000023c inherit_handles: 0	success	1
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 450560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x10410000	success	0
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x001f0000	success	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x001f0000	success	1
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00200000	success	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: ×I5vÿ5v process_handle: 0x0000023c base_address: 0x00200000	success	1
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00210000	success	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄôEUôPUøPUüÿuøÿUô¸ÿÿÿÿPÿUüëõå]Â@UìÄðSVUüðEüè÷ÿ3ÀUhòIIdÿ0d 3ÛhJIhJIè$÷ÿPè$÷ÿEøhJIhJIè$÷ÿPè$÷ÿEðEüè_÷ÿÐÆèþÿÿEôjjMðº IIÆèÔþÿÿÀtPèæ"÷ÿ³3ÀZYYdhùIIEüè_ûöÿÃ process_handle: 0x0000023c base_address: 0x00210000	success	1
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00360000	success	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: DeleteCriticalSection process_handle: 0x0000023c base_address: 0x00360000	success	1
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00370000	success	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00370000	success	1
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00380000	success	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v76 process_handle: 0x0000023c base_address: 0x00380000	success	1
1619948416.907205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00390000	success	0
1619948416.907205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x00390000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003a0000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: LeaveCriticalSection process_handle: 0x0000023c base_address: 0x003a0000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003b0000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x003b0000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003c0000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v;: process_handle: 0x0000023c base_address: 0x003c0000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x003d0000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x003d0000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00540000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: EnterCriticalSection process_handle: 0x0000023c base_address: 0x00540000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00550000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00550000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00560000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5vUT process_handle: 0x0000023c base_address: 0x00560000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00570000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x00570000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00580000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: InitializeCriticalSection process_handle: 0x0000023c base_address: 0x00580000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00590000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x00590000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005a0000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5vYX process_handle: 0x0000023c base_address: 0x005a0000	success	1
1619948416.938205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005b0000	success	0
1619948416.938205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x005b0000	success	1
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005c0000	success	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: VirtualFree process_handle: 0x0000023c base_address: 0x005c0000	success	1
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005d0000	success	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: kernel32.dll process_handle: 0x0000023c base_address: 0x005d0000	success	1
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005e0000	success	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: ÕØw"5vE5v]\ process_handle: 0x0000023c base_address: 0x005e0000	success	1
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005f0000	success	0
1619948416.954205 WriteProcessMemory	process_identifier: 2284 buffer: UìÄìVWEð}ì¥¥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^å]ÂÀSVWÄäùòØ3À$hKIh KIè(#÷ÿPè*#÷ÿD$h,KIh KIè#÷ÿPè#÷ÿD$h<KIh KIèö"÷ÿPèø"÷ÿD$×Ã process_handle: 0x0000023c base_address: 0x005f0000	success	1
1619948416.954205 NtAllocateVirtualMemory	process_identifier: 2284 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000023c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00600000	success	0

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43343592
McAfee	Fareit-FUL!DA70F0EF4C93
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 00568bfa1 )
BitDefender	Trojan.GenericKD.43343592
K7GW	Trojan ( 00568bfa1 )
Cybereason	malicious.c1b9bf
Arcabit	Trojan.Generic.D2955EE8
BitDefenderTheta	Gen:NN.ZelphiCO.34670.mHW@a4P6jWpi
Cyren	W32/Injector.HUHB-5403
Symantec	Infostealer
ESET-NOD32	Win32/TrojanDownloader.Delf.CWN
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Dropper.Formbook-8041921-0
Kaspersky	HEUR:Backdoor.Win32.Androm.gen
Alibaba	Backdoor:Win32/CryptInjector.006baeb8
NANO-Antivirus	Trojan.Win32.Dwn.hlexdo
AegisLab	Trojan.Win32.Androm.m!c
Tencent	Win32.Backdoor.Androm.Wstk
Ad-Aware	Trojan.GenericKD.43343592
Sophos	Mal/Generic-S
Comodo	Malware@#2hmt4ps2o7kxx
F-Secure	Trojan.TR/Kryptik.olgjm
DrWeb	Trojan.DownLoader33.56137
Zillya	Backdoor.Androm.Win32.73180
McAfee-GW-Edition	Fareit-FUL!DA70F0EF4C93
FireEye	Generic.mg.da70f0ef4c938ad7
Emsisoft	Trojan.GenericKD.43343592 (B)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Backdoor.Androm.avyn
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.olgjm
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Microsoft	Trojan:Win32/CryptInjector.E!MTB
AhnLab-V3	Trojan/Win32.Agent.C4126672
ZoneAlarm	HEUR:Backdoor.Win32.Androm.gen
GData	Trojan.GenericKD.43343592
Cynet	Malicious (score: 100)
VBA32	TScope.Trojan.Delf
ALYac	Trojan.GenericKD.43343592
MAX	malware (ai score=86)
Malwarebytes	Trojan.MalPack.DLF
Panda	Trj/CI.A
Zoner	Trojan.Win32.94460
Rising	Trojan.Kryptik!1.C56D (CLASSIC)

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x502168 DeleteCriticalSection

• 0x50216c LeaveCriticalSection

• 0x502170 EnterCriticalSection

• 0x502174 InitializeCriticalSection

• 0x502178 VirtualFree

• 0x50217c VirtualAlloc

• 0x502180 LocalFree

• 0x502184 LocalAlloc

• 0x502188 GetVersion

• 0x50218c GetCurrentThreadId

• 0x502190 InterlockedDecrement

• 0x502194 InterlockedIncrement

• 0x502198 VirtualQuery

• 0x50219c WideCharToMultiByte

• 0x5021a0 MultiByteToWideChar

• 0x5021a4 lstrlenA

• 0x5021a8 lstrcpynA

• 0x5021ac LoadLibraryExA

• 0x5021b0 GetThreadLocale

• 0x5021b4 GetStartupInfoA

• 0x5021b8 GetProcAddress

• 0x5021bc GetModuleHandleA

• 0x5021c0 GetModuleFileNameA

• 0x5021c4 GetLocaleInfoA

• 0x5021c8 GetCommandLineA

• 0x5021cc FreeLibrary

• 0x5021d0 FindFirstFileA

• 0x5021d4 FindClose

• 0x5021d8 ExitProcess

• 0x5021dc WriteFile

• 0x5021e0 UnhandledExceptionFilter

• 0x5021e4 RtlUnwind

• 0x5021e8 RaiseException

• 0x5021ec GetStdHandle

Library user32.dll:

• 0x5021f4 GetKeyboardType

• 0x5021f8 LoadStringA

• 0x5021fc MessageBoxA

• 0x502200 CharNextA

Library advapi32.dll:

• 0x502208 RegQueryValueExA

• 0x50220c RegOpenKeyExA

• 0x502210 RegCloseKey

Library oleaut32.dll:

• 0x502218 SysFreeString

• 0x50221c SysReAllocStringLen

• 0x502220 SysAllocStringLen

Library kernel32.dll:

• 0x502228 TlsSetValue

• 0x50222c TlsGetValue

• 0x502230 LocalAlloc

• 0x502234 GetModuleHandleA

Library advapi32.dll:

• 0x50223c RegQueryValueExA

• 0x502240 RegOpenKeyExA

• 0x502244 RegCloseKey

Library kernel32.dll:

• 0x50224c lstrcpyA

• 0x502250 lstrcmpiA

• 0x502254 WriteProcessMemory

• 0x502258 WriteFile

• 0x50225c WaitForSingleObject

• 0x502260 VirtualQuery

• 0x502264 VirtualProtect

• 0x502268 VirtualFree

• 0x50226c VirtualAllocEx

• 0x502270 VirtualAlloc

• 0x502274 Sleep

• 0x502278 SizeofResource

• 0x50227c SetThreadLocale

• 0x502280 SetFilePointer

• 0x502284 SetEvent

• 0x502288 SetErrorMode

• 0x50228c SetEndOfFile

• 0x502290 ResetEvent

• 0x502294 ReadProcessMemory

• 0x502298 ReadFile

• 0x50229c MultiByteToWideChar

• 0x5022a0 MulDiv

• 0x5022a4 LockResource

• 0x5022a8 LoadResource

• 0x5022ac LoadLibraryA

• 0x5022b0 LeaveCriticalSection

• 0x5022b4 InitializeCriticalSection

• 0x5022b8 GlobalUnlock

• 0x5022bc GlobalReAlloc

• 0x5022c0 GlobalHandle

• 0x5022c4 GlobalLock

• 0x5022c8 GlobalFree

• 0x5022cc GlobalFindAtomA

• 0x5022d0 GlobalDeleteAtom

• 0x5022d4 GlobalAlloc

• 0x5022d8 GlobalAddAtomA

• 0x5022dc GetVersionExA

• 0x5022e0 GetVersion

• 0x5022e4 GetTickCount

• 0x5022e8 GetThreadLocale

• 0x5022ec GetSystemInfo

• 0x5022f0 GetStringTypeExA

• 0x5022f4 GetStdHandle

• 0x5022f8 GetProcAddress

• 0x5022fc GetModuleHandleA

• 0x502300 GetModuleFileNameA

• 0x502304 GetLocaleInfoA

• 0x502308 GetLocalTime

• 0x50230c GetLastError

• 0x502310 GetFullPathNameA

• 0x502314 GetExitCodeThread

• 0x502318 GetDiskFreeSpaceA

• 0x50231c GetDateFormatA

• 0x502320 GetCurrentThreadId

• 0x502324 GetCurrentProcessId

• 0x502328 GetCPInfo

• 0x50232c GetACP

• 0x502330 FreeResource

• 0x502334 InterlockedExchange

• 0x502338 FreeLibrary

• 0x50233c FormatMessageA

• 0x502340 FindResourceA

• 0x502344 ExitProcess

• 0x502348 EnumCalendarInfoA

• 0x50234c EnterCriticalSection

• 0x502350 DeleteCriticalSection

• 0x502354 CreateThread

• 0x502358 CreateRemoteThread

• 0x50235c CreateProcessA

• 0x502360 CreateFileA

• 0x502364 CreateEventA

• 0x502368 CompareStringA

• 0x50236c CloseHandle

Library version.dll:

• 0x502374 VerQueryValueA

• 0x502378 GetFileVersionInfoSizeA

• 0x50237c GetFileVersionInfoA

Library gdi32.dll:

• 0x502384 UnrealizeObject

• 0x502388 StretchBlt

• 0x50238c SetWindowOrgEx

• 0x502390 SetWinMetaFileBits

• 0x502394 SetViewportOrgEx

• 0x502398 SetTextColor

• 0x50239c SetStretchBltMode

• 0x5023a0 SetROP2

• 0x5023a4 SetPixel

• 0x5023a8 SetEnhMetaFileBits

• 0x5023ac SetDIBColorTable

• 0x5023b0 SetBrushOrgEx

• 0x5023b4 SetBkMode

• 0x5023b8 SetBkColor

• 0x5023bc SelectPalette

• 0x5023c0 SelectObject

• 0x5023c4 SelectClipRgn

• 0x5023c8 SaveDC

• 0x5023cc RestoreDC

• 0x5023d0 Rectangle

• 0x5023d4 RectVisible

• 0x5023d8 RealizePalette

• 0x5023dc Polyline

• 0x5023e0 PlayEnhMetaFile

• 0x5023e4 PatBlt

• 0x5023e8 MoveToEx

• 0x5023ec MaskBlt

• 0x5023f0 LineTo

• 0x5023f4 IntersectClipRect

• 0x5023f8 GetWindowOrgEx

• 0x5023fc GetWinMetaFileBits

• 0x502400 GetTextMetricsA

• 0x502404 GetTextExtentPoint32A

• 0x502408 GetSystemPaletteEntries

• 0x50240c GetStockObject

• 0x502410 GetPixel

• 0x502414 GetPaletteEntries

• 0x502418 GetObjectA

• 0x50241c GetEnhMetaFilePaletteEntries

• 0x502420 GetEnhMetaFileHeader

• 0x502424 GetEnhMetaFileBits

• 0x502428 GetDeviceCaps

• 0x50242c GetDIBits

• 0x502430 GetDIBColorTable

• 0x502434 GetDCOrgEx

• 0x502438 GetCurrentPositionEx

• 0x50243c GetClipBox

• 0x502440 GetBrushOrgEx

• 0x502444 GetBitmapBits

• 0x502448 GdiFlush

• 0x50244c ExtTextOutA

• 0x502450 ExcludeClipRect

• 0x502454 DeleteObject

• 0x502458 DeleteEnhMetaFile

• 0x50245c DeleteDC

• 0x502460 CreateSolidBrush

• 0x502464 CreatePenIndirect

• 0x502468 CreatePalette

• 0x50246c CreateHalftonePalette

• 0x502470 CreateFontIndirectA

• 0x502474 CreateDIBitmap

• 0x502478 CreateDIBSection

• 0x50247c CreateCompatibleDC

• 0x502480 CreateCompatibleBitmap

• 0x502484 CreateBrushIndirect

• 0x502488 CreateBitmap

• 0x50248c CopyEnhMetaFileA

• 0x502490 BitBlt

Library user32.dll:

• 0x502498 CreateWindowExA

• 0x50249c WindowFromPoint

• 0x5024a0 WinHelpA

• 0x5024a4 WaitMessage

• 0x5024a8 UpdateWindow

• 0x5024ac UnregisterClassA

• 0x5024b0 UnhookWindowsHookEx

• 0x5024b4 TranslateMessage

• 0x5024b8 TranslateMDISysAccel

• 0x5024bc TrackPopupMenu

• 0x5024c0 SystemParametersInfoA

• 0x5024c4 ShowWindow

• 0x5024c8 ShowScrollBar

• 0x5024cc ShowOwnedPopups

• 0x5024d0 ShowCursor

• 0x5024d4 SetWindowsHookExA

• 0x5024d8 SetWindowTextA

• 0x5024dc SetWindowPos

• 0x5024e0 SetWindowPlacement

• 0x5024e4 SetWindowLongA

• 0x5024e8 SetTimer

• 0x5024ec SetScrollRange

• 0x5024f0 SetScrollPos

• 0x5024f4 SetScrollInfo

• 0x5024f8 SetRect

• 0x5024fc SetPropA

• 0x502500 SetParent

• 0x502504 SetMenuItemInfoA

• 0x502508 SetMenu

• 0x50250c SetKeyboardState

• 0x502510 SetForegroundWindow

• 0x502514 SetFocus

• 0x502518 SetCursor

• 0x50251c SetClipboardData

• 0x502520 SetClassLongA

• 0x502524 SetCapture

• 0x502528 SetActiveWindow

• 0x50252c SendMessageA

• 0x502530 ScrollWindow

• 0x502534 ScreenToClient

• 0x502538 RemovePropA

• 0x50253c RemoveMenu

• 0x502540 ReleaseDC

• 0x502544 ReleaseCapture

• 0x502548 RegisterWindowMessageA

• 0x50254c RegisterClipboardFormatA

• 0x502550 RegisterClassA

• 0x502554 RedrawWindow

• 0x502558 PtInRect

• 0x50255c PostQuitMessage

• 0x502560 PostMessageA

• 0x502564 PeekMessageA

• 0x502568 OpenClipboard

• 0x50256c OffsetRect

• 0x502570 OemToCharA

• 0x502574 MessageBoxA

• 0x502578 MessageBeep

• 0x50257c MapWindowPoints

• 0x502580 MapVirtualKeyA

• 0x502584 LoadStringA

• 0x502588 LoadKeyboardLayoutA

• 0x50258c LoadIconA

• 0x502590 LoadCursorA

• 0x502594 LoadBitmapA

• 0x502598 KillTimer

• 0x50259c IsZoomed

• 0x5025a0 IsWindowVisible

• 0x5025a4 IsWindowEnabled

• 0x5025a8 IsWindow

• 0x5025ac IsRectEmpty

• 0x5025b0 IsIconic

• 0x5025b4 IsDialogMessageA

• 0x5025b8 IsChild

• 0x5025bc IsCharAlphaNumericA

• 0x5025c0 IsCharAlphaA

• 0x5025c4 InvalidateRect

• 0x5025c8 IntersectRect

• 0x5025cc InsertMenuItemA

• 0x5025d0 InsertMenuA

• 0x5025d4 InflateRect

• 0x5025d8 GetWindowThreadProcessId

• 0x5025dc GetWindowTextA

• 0x5025e0 GetWindowRect

• 0x5025e4 GetWindowPlacement

• 0x5025e8 GetWindowLongA

• 0x5025ec GetWindowDC

• 0x5025f0 GetTopWindow

• 0x5025f4 GetSystemMetrics

• 0x5025f8 GetSystemMenu

• 0x5025fc GetSysColorBrush

• 0x502600 GetSysColor

• 0x502604 GetSubMenu

• 0x502608 GetScrollRange

• 0x50260c GetScrollPos

• 0x502610 GetScrollInfo

• 0x502614 GetPropA

• 0x502618 GetParent

• 0x50261c GetWindow

• 0x502620 GetMenuStringA

• 0x502624 GetMenuState

• 0x502628 GetMenuItemInfoA

• 0x50262c GetMenuItemID

• 0x502630 GetMenuItemCount

• 0x502634 GetMenu

• 0x502638 GetLastActivePopup

• 0x50263c GetKeyboardState

• 0x502640 GetKeyboardLayoutList

• 0x502644 GetKeyboardLayout

• 0x502648 GetKeyState

• 0x50264c GetKeyNameTextA

• 0x502650 GetIconInfo

• 0x502654 GetForegroundWindow

• 0x502658 GetFocus

• 0x50265c GetDesktopWindow

• 0x502660 GetDCEx

• 0x502664 GetDC

• 0x502668 GetCursorPos

• 0x50266c GetCursor

• 0x502670 GetClipboardData

• 0x502674 GetClientRect

• 0x502678 GetClassNameA

• 0x50267c GetClassInfoA

• 0x502680 GetCapture

• 0x502684 GetActiveWindow

• 0x502688 FrameRect

• 0x50268c FindWindowA

• 0x502690 FillRect

• 0x502694 EqualRect

• 0x502698 EnumWindows

• 0x50269c EnumThreadWindows

• 0x5026a0 EnumClipboardFormats

• 0x5026a4 EndPaint

• 0x5026a8 EnableWindow

• 0x5026ac EnableScrollBar

• 0x5026b0 EnableMenuItem

• 0x5026b4 EmptyClipboard

• 0x5026b8 DrawTextA

• 0x5026bc DrawMenuBar

• 0x5026c0 DrawIconEx

• 0x5026c4 DrawIcon

• 0x5026c8 DrawFrameControl

• 0x5026cc DrawFocusRect

• 0x5026d0 DrawEdge

• 0x5026d4 DispatchMessageA

• 0x5026d8 DestroyWindow

• 0x5026dc DestroyMenu

• 0x5026e0 DestroyIcon

• 0x5026e4 DestroyCursor

• 0x5026e8 DeleteMenu

• 0x5026ec DefWindowProcA

• 0x5026f0 DefMDIChildProcA

• 0x5026f4 DefFrameProcA

• 0x5026f8 CreatePopupMenu

• 0x5026fc CreateMenu

• 0x502700 CreateIcon

• 0x502704 CloseClipboard

• 0x502708 ClientToScreen

• 0x50270c CheckMenuItem

• 0x502710 CallWindowProcA

• 0x502714 CallNextHookEx

• 0x502718 BeginPaint

• 0x50271c CharNextA

• 0x502720 CharLowerBuffA

• 0x502724 CharLowerA

• 0x502728 CharUpperBuffA

• 0x50272c CharToOemA

• 0x502730 AdjustWindowRectEx

• 0x502734 ActivateKeyboardLayout

Library kernel32.dll:

• 0x50273c Sleep

Library oleaut32.dll:

• 0x502744 SafeArrayPtrOfIndex

• 0x502748 SafeArrayPutElement

• 0x50274c SafeArrayGetElement

• 0x502750 SafeArrayUnaccessData

• 0x502754 SafeArrayAccessData

• 0x502758 SafeArrayGetUBound

• 0x50275c SafeArrayGetLBound

• 0x502760 SafeArrayCreate

• 0x502764 VariantChangeType

• 0x502768 VariantCopyInd

• 0x50276c VariantCopy

• 0x502770 VariantClear

• 0x502774 VariantInit

Library ole32.dll:

• 0x50277c CoUninitialize

• 0x502780 CoInitialize

Library oleaut32.dll:

• 0x502788 GetErrorInfo

• 0x50278c SysFreeString

Library comctl32.dll:

• 0x502794 ImageList_SetIconSize

• 0x502798 ImageList_GetIconSize

• 0x50279c ImageList_Write

• 0x5027a0 ImageList_Read

• 0x5027a4 ImageList_GetDragImage

• 0x5027a8 ImageList_DragShowNolock

• 0x5027ac ImageList_SetDragCursorImage

• 0x5027b0 ImageList_DragMove

• 0x5027b4 ImageList_DragLeave

• 0x5027b8 ImageList_DragEnter

• 0x5027bc ImageList_EndDrag

• 0x5027c0 ImageList_BeginDrag

• 0x5027c4 ImageList_Remove

• 0x5027c8 ImageList_DrawEx

• 0x5027cc ImageList_Draw

• 0x5027d0 ImageList_GetBkColor

• 0x5027d4 ImageList_SetBkColor

• 0x5027d8 ImageList_ReplaceIcon

• 0x5027dc ImageList_Add

• 0x5027e0 ImageList_SetImageCount

• 0x5027e4 ImageList_GetImageCount

• 0x5027e8 ImageList_Destroy

• 0x5027ec ImageList_Create

Library advapi32.dll:

• 0x5027f4 QueryServiceStatus

• 0x5027f8 OpenServiceA

• 0x5027fc OpenSCManagerA

• 0x502800 CloseServiceHandle

Library url.dll:

• 0x502808 InetIsOffline

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
drive.google.com	A 69.171.244.15	108.160.167.174
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	50535	239.255.255.250	3702
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.