popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

380g.exe

.NET framework(MSIL) Malicious Library ScreenShot AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 12, 2024, 8:51 a.m. Aug. 12, 2024, 8:54 a.m.
Size 5.5MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 81ee3f681043fedf57e73b20e6c3cf02
SHA256 8da728a03e795aa9fb0aa4613759d6bdb10797107dcfb0bb23253514f890a062
CRC32 CDA8A558
ssdeep 98304:RBk5YfWV/DgIDf7LJzShceZVH3Strvi5/iu86hmfPyBDOlEEub3JUM:TknV/D0hJVHipsiu86hm32DOlEEkZ
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
103.89.91.169 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00826260
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008261e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008261e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00950f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00950ec0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00950ec0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ca0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ce0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00e30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00282000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0029c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a61000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0028a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0028c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0029d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a63000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a64000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0029a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a66000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a6f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ca1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01391000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 28672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01392000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01399000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0139a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0139b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0139c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0139d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0139f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013a8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 38400
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f30400
process_handle: 0xffffffff
3221225550 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x013ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00561000', u'virtual_address': u'0x00002000', u'entropy': 7.691539704330938, u'name': u'.text', u'virtual_size': u'0x00560e04'} entropy 7.69153970433 description A section with a high entropy has been found
entropy 0.983395822175 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2848
process_handle: 0x00000354
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2848
process_handle: 0x00000354
1 0 0
host 103.89.91.169
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 1171456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002cc
1 0 0

NtProtectVirtualMemory

 process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 1171456
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0x000002cc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2848
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000032c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2848
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000032c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2892
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000035c
1 0 0

NtProtectVirtualMemory

 process_identifier: 2892
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 163840
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0x0000035c
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description AddInProcess32.exe tried to sleep 2728164 seconds, actually delayed analysis time by 2728164 seconds
description 380g.exe tried to sleep 5456532 seconds, actually delayed analysis time by 5456532 seconds
Process injection Process 2052 manipulating memory of non-child process 2848
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2848
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000032c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2848
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000032c
1 0 0

NtProtectVirtualMemory

 process_identifier: 2848
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 163840
protection: 1 (PAGE_NOACCESS)
base_address: 0x00400000
process_handle: 0x0000032c
3221225517 0
Process injection Process 2052 injected into non-child 2848
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELþ³Ÿ%à tN5 @@ à`…ô4W@ŒpÀ  H.textT  `.rsrcŒp@r@@.reloc ÀŠ@B
base_address: 0x00400000
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

WriteProcessMemory

 buffer: 0 P5
base_address: 0x0051c000
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!cà  „Æo” @€´j@@0¢PpÌ ¡ p.textF}~ `.itexti‚ `.rdata² ˆ@@.dataÈ­° Ž@À.pdatañ ` .@À.relocÌp:@B
base_address: 0x000b0000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer: ÃU‹ìSVW‹u ‹}»­ÈÁÈ ‹Ð÷Ò­ÁÀ È3«­ÁÀ ȋÐ÷Ò«­ÁÀÈ3‹Ð÷Ò«ÁÀ3«wðK…ÛuÇ_^[]@U‹ìSVW¸üýþÿ¹@‹]‰D‹ü-Iuô‹} ¾@3ÛU‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]3ɋ}¾ U‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]3ɋ} ¾@U‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]‹Ã_^[] U‹ìSVW3À‹]3É3ҋu ‹}…öt3U‹mŠT ӊ\ŠTŠTþŠD0ŠT†T ˆTþÁGN…öuÒ]_^[]fff„è€ûÿÿff„è ÏþÿfDèÆÿÿff„è ßÿÿf„jÿÈUBDèdøÿÿèeøÿÿèHøÿÿèIøÿÿèbøÿÿèWøÿÿè@øÿÿèYøÿÿèBøÿÿè=øÿÿè øÿÿèñ÷ÿÿè øÿÿèí÷ÿÿèøÿÿèøÿÿèä÷ÿÿè÷÷ÿÿèæ÷ÿÿèÛ÷ÿÿèâ÷ÿÿè3ãÿÿè@ãÿÿèMãÿÿè*ãÿÿè7ãÿÿè,ãÿÿèEãÿÿè ãÿÿè5ãÿÿè$ãÿÿèãÿÿèãÿÿèãÿÿ
base_address: 0x000c9000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer: \¤’¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.££ £ú¢±!c ô<¡<‰ì|.textìŒZ.text$mni.itext p.idata$5p Ì.rdata<¡ô.rdata$zzzdbg0¢<.idata$2l¢.idata$3€¢p.idata$4ð¢Â.idata$6°pŸ.datapOX.bss`.xyzÄ¢†£D ¤¢¤$ €¢¤¤ \¤’¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.££ £ú¢ BitBlt(CreateDIBitmap3CreateFontWECreateSolidBrushªGetDeviceCapsÔGetPixelåGetTextColor.SelectObject/SelectPaletteNSetPixelgdi32.dllcCreateDialogParamWnCreateWindowExWœDefWindowProcW'GetDlgItemÎIsDlgButtonCheckedïLoadImageW÷LoadMenuWUSER32.dllžFreeLibraryÉGetCommandLineAÊGetCommandLineW6GetFileAttributesWQGetLastErrorUGetLocaleInfoWeGetModuleHandleAžGetProcAddressKERNEL32.dll
base_address: 0x000ca000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer: T0…MªXjå O»ª™WÇFâO¥ì“¥3ãÅÀÍÂaÜ`-=ßdž~!¹ŽÌB'•Ã[ƒëރ€A^eÄçÀQ÷Šhθžä%þ›»U[·Òn0 QoÈGè×êÌdØwÑ'IöÕž{¿¾{+n~ßÙØ3'd&I!¯(2úï@Ì°'Ö’{ x³ƒ±m¿··Ö§Ú>þ²‰=¿Væó1΀"«ôvE àtŒ²?JµawŒH’ŒÄN »»&¹<0û£f<ÏáEa3€:䚑- ³DGúTI TÖc]¯ü7šaÕ(zÔò@-&Xé] X×·8`vƈyþƒ“|÷t¢ÏK‹‹4o÷vÀ^ïr– I:$Š.EôO ÝÙÛ¥h¢¾.§¸Èˆ4¾"iNgÙW’Ž‰ Ò 1tÆMÃ>¥/Æ&2½·|Z(œ›øq[CM ,Æ\6Llq#H‡žÎF6gSôƒ7Ê{Ö+Ž‹EÎ×`‘ˆ@4Çú :6(ö(Ýô?Ç9nÑ'Ž¥û㿲1*A8;nð}­jÓ±k] ‡úT”w¾kÌ_;:Qæ›Å”*^®HþÓt¨Ašá؛£?GýÀ2ܶV;-˜ÍUÂ+êÊÓO™d˜U½$',tÊ•¥N?/ꭔõ3ÿd9¤¢žT‘ å*€ L¯¦>ÐUŘbÜÁ5Ž(ÊHëšßâ£ÃP„~ñYsW‹… b\d¥6Þnâlî2rD <î8ãHWðï«®_>[­Ö›úB¥Gâmåêå‡ÑoG'î’j !‚ DJ·ÉQôLWyí`±†¨ÿ®˜‘jŸô tb¡@ý®*(}*v*Cûƒè4û£+<ú&XOvï ì#¶üì"œùÀ)i³nÌa °ÕC‚#‘š¤©5ç øhCäÉr¡P^Ùîäk¦Öö·ï9¾=—¥±:Q“«g$òc­D‰ìdÓ'™½ ÞÍx}÷°að«}B–¢€$g{Y>aclr9ÿ*%äÓ÷Ù  4­8EÐÿ¶ø¡ÊÀSGärXJлºúb{Ÿ´Òº%‘TrЩ¶ˆølúÆúƒ{×ÍÔµ±``ì¹´|æÿC(ò;>³­¢†X½a±±>­ð‚F®Ïã[ŠJ g‘9|ُ‡y´ê þù‰Ü„7ÊiOêÂ:Þ áˆŸû?Ø>F–V1J[w)8‚EÞø¾ÈGš¬ T•ÅQyÿ+? @*93Èw*ѵFùñðPTË©ì+d¦¬SasF©¹9;ã6Ç!ã áÚ¡g„*Y }¶uÛïµ¢Lˆ³Ã~KtUÝø…X›MÏT4ûº%`çÇ]dê6 c5už›ŽWô¶1ï6äê£(‚n‚P‰®YRž­¸l|pv•âÙZ/e¸L–ù_`j²•õ-~]çxµ^ôÈÃØì@½#t®á:ÄÒÝáí.¥^*ؤ+ 2˜PØ^Ïtv‹Ïލ`â`EÄÖÕà[_Íç%ÁVŒQ äõÀæ÷, ®‡ÁÓ¢²KÌWՐ·³I$éߘ@k~۞f[!¨ œúŸv;JS¨ï¥¹Ù)8§_á{\&…â–¢Öˆf5ÒCé0xCÅmñ£ “ïÖz ²§L¿À_”Žsd49æcô¬½áF>]Î'kUëPœð*’@O4Ê{èF¤*º•Qb›Z š¿„³Ž“ÁçŏÕ+‹ö둚ã5=“䈔9]ê|ÃÀ̈́Ôe«1¥ãZIºzBï*\²þÅí'%¡ÐàɒQ¢Úï]¬Èd.áBh—88Àë[Ò}Ûp–-Íjf¿³d…lƐuøXׇ üZ„[ÓT_é3¶“¾cŽš d[Œõ›\®z€Ïq¨Ñä*ÞE Ïl€e¡­-YE0ƶjSXÝ»oÇ üýO³?©ˆóÔn/Qyü/Gw}½k >Ô¢ ”ÂÁN·³6cHö–ï2ÆöX*KƒP­„îBž~“4ŸJP;7HÿSTî |Ì䎯,X¢IÑMX‡5éA ™Mxt4ÄÚé/­GòT°?O¬2ƒRÖv BèÐIô㘴Ämƒù0¤¸ûÁÑ!ˆçþoà]î«ïR¤ ÜtÕX¾¼…ÓôØæj ÕIâ¤H $KeÇןߦ@Pò«'¸~qÄb¯õÌxª»?›aÍ }ØE Aq¾9¢ª0b׏´¦ÔÚ3Î 1„îÒmÔÏfà{¾ÏV,@´&™È5B©\&Ìù¤ýHžýÈ ®¿>œ†ƒtŒ–ö´”ÎTüžI·néeÂ(e¸@}”,çù¡y:rÃDÆo5Ì÷Tõ´1ˆåšÁ>¶#RÉQ×Ԃ-x­½ø¢„óCò ìܧݱUAÀ¡Ljœf€\M„Áîq¨NÙÍîóãµi-{ ûûÞéÔbøO­ÁKû[6Óð·ùÈ3ìîäÇ&ñ,#vò ×û0öçãV†õÙ8„Øø»C  °>°äÙ×}MÈ¼Û €ƒ’SJʈs“ÒÜ¢šQ¤wC.^yéEÊõÄv»\xãìç1Xžà9¹Y©ž3D>H„ÒÒÈ÷¥ MæÓnfý’Ä«7ò…ªÓ8 ©.4 +(8#Õm„(zkÞ2Õ/&ð숳hZÖw yñ <ä_âZ؈¤C0ͯ:w0©5vùúˆöeÉÐtRð+z‡?çÝ8$ RÖÓj¿­·ÝØ $Ü׏٫œxBüÒÞ,ïâdSíܨÔ C8çsž·Mʅ¸24µó³ËHRiÈJ&JNfè<Gjûsw ©CŒóMâ´CõćR&S° ֙ôÂ?–1ÎJ0W"°¨°ûÏ*™`&w.–§Þñé@¢¾×UŽyõºvïå°?br1«oXŸ†‰°R@rËß%&D^§c‚¹È{Dâ^u¨ý× ÂPRÒ=å؋ì­›qu›}ç;˪_0~XŒÎ°¹«®÷(^…Ï€ ¿Ù&ùñâï‰Ü¦Ie9¾®~øvºöÑcüxUrB«Øj ©Zð|RÅ[(ÿeÿJǵéÒÕØØO:Փɷre„@ÖQ¸Ú[,ü'üÛ¶ Ü:•¯m² ÉM‡xA½YðÐßúœhz¼¥¨ÉžñëƒgêTº(ÅOÛŗÕY†‰—KSOg´C¼¹;‰M!Œn¸Ô§ Ғ(ÇP€³hDlagÒ.pÙPá¯)ŽÿücëðŠÐß‹y@ÎN¸Z,'“äö0±\í6 _ÄŽJ>¾vW_< _§q‡Ô™bY&Ìx«–j.7lî¿]ÝCìÄXˆ5¦ A0ÓjVrý^57©Ð‚ÙW7{ŪxÏ; î1sđ£šO½¾Ä½XèBÝ…§¾œ? n»q$*fºTxøÛ,?®°XÃ]o)ȹü™ ì«^_à86F5Z5\ŠïÏP*CŽ>èeî ¿Õ´ãrÀ4J¨lý´´óÏ<ˆÚ°³;ÃñLci ۀÔלñ*€:Õ¦`?ÄxùÀ9þ1Pˆ]Hûê;7ƒÖÝïÁ¹¶œ3ڔvۚ(Š¶ýâJ@8µJŽO+ð´ }ÓoViR¦íb˼Çëf5WñxÃKG1å–S,ûÎVžª‡ ž "+’>¿Éf^¶c04=È´¦£ötnpII°¿?áñ”Ý3Ü{è&žÉÖ«ÑØÄ(ÂsI»b­„΍IÞeYäN§˜.$ 5{hdZð£rYÑÍ/&ʞ~.ƒPX¶º%8Í3Texñ-¤–4½+ 1˅ýfY)þ¨x+'A¾‘4ª÷KŸ ]÷¯WšêG1â(‘E:è`¦¸Þ”âK ¼¿Ý ü¥ŽÈÙÄÉ&¬!bg¶n¾”ß5 ÏIDܶ.À²ÑÇuP·^`‚f«Í>ƒ×c†^œ,ÀSn<†‡Z&“e€¿°‚DŠyê‡#o¢^3ÛIc
base_address: 0x000d6000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x7efde008
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!cà  „Æo” @€´j@@0¢PpÌ ¡ p.textF}~ `.itexti‚ `.rdata² ˆ@@.dataÈ­° Ž@À.pdatañ ` .@À.relocÌp:@B
base_address: 0x00400000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer: ÃU‹ìSVW‹u ‹}»­ÈÁÈ ‹Ð÷Ò­ÁÀ È3«­ÁÀ ȋÐ÷Ò«­ÁÀÈ3‹Ð÷Ò«ÁÀ3«wðK…ÛuÇ_^[]@U‹ìSVW¸üýþÿ¹@‹]‰D‹ü-Iuô‹} ¾@3ÛU‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]3ɋ}¾ U‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]3ɋ} ¾@U‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]‹Ã_^[] U‹ìSVW3À‹]3É3ҋu ‹}…öt3U‹mŠT ӊ\ŠTŠTþŠD0ŠT†T ˆTþÁGN…öuÒ]_^[]fff„è€ûÿÿff„è ÏþÿfDèÆÿÿff„è ßÿÿf„jÿÈUBDèdøÿÿèeøÿÿèHøÿÿèIøÿÿèbøÿÿèWøÿÿè@øÿÿèYøÿÿèBøÿÿè=øÿÿè øÿÿèñ÷ÿÿè øÿÿèí÷ÿÿèøÿÿèøÿÿèä÷ÿÿè÷÷ÿÿèæ÷ÿÿèÛ÷ÿÿèâ÷ÿÿè3ãÿÿè@ãÿÿèMãÿÿè*ãÿÿè7ãÿÿè,ãÿÿèEãÿÿè ãÿÿè5ãÿÿè$ãÿÿèãÿÿèãÿÿèãÿÿ
base_address: 0x00419000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer: \¤’¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.££ £ú¢±!c ô<¡<‰ì|.textìŒZ.text$mni.itext p.idata$5p Ì.rdata<¡ô.rdata$zzzdbg0¢<.idata$2l¢.idata$3€¢p.idata$4ð¢Â.idata$6°pŸ.datapOX.bss`.xyzÄ¢†£D ¤¢¤$ €¢¤¤ \¤’¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.££ £ú¢ BitBlt(CreateDIBitmap3CreateFontWECreateSolidBrushªGetDeviceCapsÔGetPixelåGetTextColor.SelectObject/SelectPaletteNSetPixelgdi32.dllcCreateDialogParamWnCreateWindowExWœDefWindowProcW'GetDlgItemÎIsDlgButtonCheckedïLoadImageW÷LoadMenuWUSER32.dllžFreeLibraryÉGetCommandLineAÊGetCommandLineW6GetFileAttributesWQGetLastErrorUGetLocaleInfoWeGetModuleHandleAžGetProcAddressKERNEL32.dll
base_address: 0x0041a000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer: T0…MªXjå O»ª™WÇFâO¥ì“¥3ãÅÀÍÂaÜ`-=ßdž~!¹ŽÌB'•Ã[ƒëރ€A^eÄçÀQ÷Šhθžä%þ›»U[·Òn0 QoÈGè×êÌdØwÑ'IöÕž{¿¾{+n~ßÙØ3'd&I!¯(2úï@Ì°'Ö’{ x³ƒ±m¿··Ö§Ú>þ²‰=¿Væó1΀"«ôvE àtŒ²?JµawŒH’ŒÄN »»&¹<0û£f<ÏáEa3€:䚑- ³DGúTI TÖc]¯ü7šaÕ(zÔò@-&Xé] X×·8`vƈyþƒ“|÷t¢ÏK‹‹4o÷vÀ^ïr– I:$Š.EôO ÝÙÛ¥h¢¾.§¸Èˆ4¾"iNgÙW’Ž‰ Ò 1tÆMÃ>¥/Æ&2½·|Z(œ›øq[CM ,Æ\6Llq#H‡žÎF6gSôƒ7Ê{Ö+Ž‹EÎ×`‘ˆ@4Çú :6(ö(Ýô?Ç9nÑ'Ž¥û㿲1*A8;nð}­jÓ±k] ‡úT”w¾kÌ_;:Qæ›Å”*^®HþÓt¨Ašá؛£?GýÀ2ܶV;-˜ÍUÂ+êÊÓO™d˜U½$',tÊ•¥N?/ꭔõ3ÿd9¤¢žT‘ å*€ L¯¦>ÐUŘbÜÁ5Ž(ÊHëšßâ£ÃP„~ñYsW‹… b\d¥6Þnâlî2rD <î8ãHWðï«®_>[­Ö›úB¥Gâmåêå‡ÑoG'î’j !‚ DJ·ÉQôLWyí`±†¨ÿ®˜‘jŸô tb¡@ý®*(}*v*Cûƒè4û£+<ú&XOvï ì#¶üì"œùÀ)i³nÌa °ÕC‚#‘š¤©5ç øhCäÉr¡P^Ùîäk¦Öö·ï9¾=—¥±:Q“«g$òc­D‰ìdÓ'™½ ÞÍx}÷°að«}B–¢€$g{Y>aclr9ÿ*%äÓ÷Ù  4­8EÐÿ¶ø¡ÊÀSGärXJлºúb{Ÿ´Òº%‘TrЩ¶ˆølúÆúƒ{×ÍÔµ±``ì¹´|æÿC(ò;>³­¢†X½a±±>­ð‚F®Ïã[ŠJ g‘9|ُ‡y´ê þù‰Ü„7ÊiOêÂ:Þ áˆŸû?Ø>F–V1J[w)8‚EÞø¾ÈGš¬ T•ÅQyÿ+? @*93Èw*ѵFùñðPTË©ì+d¦¬SasF©¹9;ã6Ç!ã áÚ¡g„*Y }¶uÛïµ¢Lˆ³Ã~KtUÝø…X›MÏT4ûº%`çÇ]dê6 c5už›ŽWô¶1ï6äê£(‚n‚P‰®YRž­¸l|pv•âÙZ/e¸L–ù_`j²•õ-~]çxµ^ôÈÃØì@½#t®á:ÄÒÝáí.¥^*ؤ+ 2˜PØ^Ïtv‹Ïލ`â`EÄÖÕà[_Íç%ÁVŒQ äõÀæ÷, ®‡ÁÓ¢²KÌWՐ·³I$éߘ@k~۞f[!¨ œúŸv;JS¨ï¥¹Ù)8§_á{\&…â–¢Öˆf5ÒCé0xCÅmñ£ “ïÖz ²§L¿À_”Žsd49æcô¬½áF>]Î'kUëPœð*’@O4Ê{èF¤*º•Qb›Z š¿„³Ž“ÁçŏÕ+‹ö둚ã5=“䈔9]ê|ÃÀ̈́Ôe«1¥ãZIºzBï*\²þÅí'%¡ÐàɒQ¢Úï]¬Èd.áBh—88Àë[Ò}Ûp–-Íjf¿³d…lƐuøXׇ üZ„[ÓT_é3¶“¾cŽš d[Œõ›\®z€Ïq¨Ñä*ÞE Ïl€e¡­-YE0ƶjSXÝ»oÇ üýO³?©ˆóÔn/Qyü/Gw}½k >Ô¢ ”ÂÁN·³6cHö–ï2ÆöX*KƒP­„îBž~“4ŸJP;7HÿSTî |Ì䎯,X¢IÑMX‡5éA ™Mxt4ÄÚé/­GòT°?O¬2ƒRÖv BèÐIô㘴Ämƒù0¤¸ûÁÑ!ˆçþoà]î«ïR¤ ÜtÕX¾¼…ÓôØæj ÕIâ¤H $KeÇןߦ@Pò«'¸~qÄb¯õÌxª»?›aÍ }ØE Aq¾9¢ª0b׏´¦ÔÚ3Î 1„îÒmÔÏfà{¾ÏV,@´&™È5B©\&Ìù¤ýHžýÈ ®¿>œ†ƒtŒ–ö´”ÎTüžI·néeÂ(e¸@}”,çù¡y:rÃDÆo5Ì÷Tõ´1ˆåšÁ>¶#RÉQ×Ԃ-x­½ø¢„óCò ìܧݱUAÀ¡Ljœf€\M„Áîq¨NÙÍîóãµi-{ ûûÞéÔbøO­ÁKû[6Óð·ùÈ3ìîäÇ&ñ,#vò ×û0öçãV†õÙ8„Øø»C  °>°äÙ×}MÈ¼Û €ƒ’SJʈs“ÒÜ¢šQ¤wC.^yéEÊõÄv»\xãìç1Xžà9¹Y©ž3D>H„ÒÒÈ÷¥ MæÓnfý’Ä«7ò…ªÓ8 ©.4 +(8#Õm„(zkÞ2Õ/&ð숳hZÖw yñ <ä_âZ؈¤C0ͯ:w0©5vùúˆöeÉÐtRð+z‡?çÝ8$ RÖÓj¿­·ÝØ $Ü׏٫œxBüÒÞ,ïâdSíܨÔ C8çsž·Mʅ¸24µó³ËHRiÈJ&JNfè<Gjûsw ©CŒóMâ´CõćR&S° ֙ôÂ?–1ÎJ0W"°¨°ûÏ*™`&w.–§Þñé@¢¾×UŽyõºvïå°?br1«oXŸ†‰°R@rËß%&D^§c‚¹È{Dâ^u¨ý× ÂPRÒ=å؋ì­›qu›}ç;˪_0~XŒÎ°¹«®÷(^…Ï€ ¿Ù&ùñâï‰Ü¦Ie9¾®~øvºöÑcüxUrB«Øj ©Zð|RÅ[(ÿeÿJǵéÒÕØØO:Փɷre„@ÖQ¸Ú[,ü'üÛ¶ Ü:•¯m² ÉM‡xA½YðÐßúœhz¼¥¨ÉžñëƒgêTº(ÅOÛŗÕY†‰—KSOg´C¼¹;‰M!Œn¸Ô§ Ғ(ÇP€³hDlagÒ.pÙPá¯)ŽÿücëðŠÐß‹y@ÎN¸Z,'“äö0±\í6 _ÄŽJ>¾vW_< _§q‡Ô™bY&Ìx«–j.7lî¿]ÝCìÄXˆ5¦ A0ÓjVrý^57©Ð‚ÙW7{ŪxÏ; î1sđ£šO½¾Ä½XèBÝ…§¾œ? n»q$*fºTxøÛ,?®°XÃ]o)ȹü™ ì«^_à86F5Z5\ŠïÏP*CŽ>èeî ¿Õ´ãrÀ4J¨lý´´óÏ<ˆÚ°³;ÃñLci ۀÔלñ*€:Õ¦`?ÄxùÀ9þ1Pˆ]Hûê;7ƒÖÝïÁ¹¶œ3ڔvۚ(Š¶ýâJ@8µJŽO+ð´ }ÓoViR¦íb˼Çëf5WñxÃKG1å–S,ûÎVžª‡ ž "+’>¿Éf^¶c04=È´¦£ötnpII°¿?áñ”Ý3Ü{è&žÉÖ«ÑØÄ(ÂsI»b­„΍IÞeYäN§˜.$ 5{hdZð£rYÑÍ/&ʞ~.ƒPX¶º%8Í3Texñ-¤–4½+ 1˅ýfY)þ¨x+'A¾‘4ª÷KŸ ]÷¯WšêG1â(‘E:è`¦¸Þ”âK ¼¿Ý ü¥ŽÈÙÄÉ&¬!bg¶n¾”ß5 ÏIDܶ.À²ÑÇuP·^`‚f«Í>ƒ×c†^œ,ÀSn<†‡Z&“e€¿°‚DŠyê‡#o¢^3ÛIc
base_address: 0x00426000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2892
process_handle: 0x0000035c
1 1 0
Process injection Process 2052 injected into non-child 2848
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELþ³Ÿ%à tN5 @@ à`…ô4W@ŒpÀ  H.textT  `.rsrcŒp@r@@.reloc ÀŠ@B
base_address: 0x00400000
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!cà  „Æo” @€´j@@0¢PpÌ ¡ p.textF}~ `.itexti‚ `.rdata² ˆ@@.dataÈ­° Ž@À.pdatañ ` .@À.relocÌp:@B
base_address: 0x000b0000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!cà  „Æo” @€´j@@0¢PpÌ ¡ p.textF}~ `.itexti‚ `.rdata² ˆ@@.dataÈ­° Ž@À.pdatañ ` .@À.relocÌp:@B
base_address: 0x00400000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0
Process injection Process 2052 called NtSetContextThread to modify thread in remote process 2636
Process injection Process 2052 called NtSetContextThread to modify thread in remote process 2892
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5256526
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002c8
process_identifier: 2636
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4297839
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000358
process_identifier: 2892
1 0 0
file C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\:Zone.Identifier
file C:\Users\test22\AppData\Local\Temp\380g.exe\:Zone.Identifier
Process injection Process 2052 resumed a thread in remote process 2636
Process injection Process 2052 resumed a thread in remote process 2892
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 2636
1 0 0

NtResumeThread

 thread_handle: 0x00000358
suspend_count: 1
process_identifier: 2892
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2052
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2052
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2052
1 0 0

NtResumeThread

 thread_handle: 0x00000284
suspend_count: 1
process_identifier: 2052
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtGetContextThread

 thread_handle: 0x000000e0
1 0 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2052
1 0 0

NtResumeThread

 thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 2052
1 0 0

NtResumeThread

 thread_handle: 0x000002b4
suspend_count: 1
process_identifier: 2052
1 0 0

CreateProcessInternalW

 thread_identifier: 2640
thread_handle: 0x000002c8
process_identifier: 2636
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000002cc
1 1 0

NtGetContextThread

 thread_handle: 0x000002c8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 1171456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000002cc
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELþ³Ÿ%à tN5 @@ à`…ô4W@ŒpÀ  H.textT  `.rsrcŒp@r@@.reloc ÀŠ@B
base_address: 0x00400000
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00504000
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

WriteProcessMemory

 buffer: 0 P5
base_address: 0x0051c000
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2636
process_handle: 0x000002cc
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5256526
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000002c8
process_identifier: 2636
1 0 0

NtResumeThread

 thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 2636
1 0 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2052
1 0 0

NtResumeThread

 thread_handle: 0x00000348
suspend_count: 1
process_identifier: 2052
1 0 0

CreateProcessInternalW

 thread_identifier: 2852
thread_handle: 0x000002f8
process_identifier: 2848
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000032c
1 1 0

NtGetContextThread

 thread_handle: 0x000002f8
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2848
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000032c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2848
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000032c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!cà  „Æo” @€´j@@0¢PpÌ ¡ p.textF}~ `.itexti‚ `.rdata² ˆ@@.dataÈ­° Ž@À.pdatañ ` .@À.relocÌp:@B
base_address: 0x000b0000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000b1000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer: ÃU‹ìSVW‹u ‹}»­ÈÁÈ ‹Ð÷Ò­ÁÀ È3«­ÁÀ ȋÐ÷Ò«­ÁÀÈ3‹Ð÷Ò«ÁÀ3«wðK…ÛuÇ_^[]@U‹ìSVW¸üýþÿ¹@‹]‰D‹ü-Iuô‹} ¾@3ÛU‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]3ɋ}¾ U‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]3ɋ} ¾@U‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]‹Ã_^[] U‹ìSVW3À‹]3É3ҋu ‹}…öt3U‹mŠT ӊ\ŠTŠTþŠD0ŠT†T ˆTþÁGN…öuÒ]_^[]fff„è€ûÿÿff„è ÏþÿfDèÆÿÿff„è ßÿÿf„jÿÈUBDèdøÿÿèeøÿÿèHøÿÿèIøÿÿèbøÿÿèWøÿÿè@øÿÿèYøÿÿèBøÿÿè=øÿÿè øÿÿèñ÷ÿÿè øÿÿèí÷ÿÿèøÿÿèøÿÿèä÷ÿÿè÷÷ÿÿèæ÷ÿÿèÛ÷ÿÿèâ÷ÿÿè3ãÿÿè@ãÿÿèMãÿÿè*ãÿÿè7ãÿÿè,ãÿÿèEãÿÿè ãÿÿè5ãÿÿè$ãÿÿèãÿÿèãÿÿèãÿÿ
base_address: 0x000c9000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer: \¤’¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.££ £ú¢±!c ô<¡<‰ì|.textìŒZ.text$mni.itext p.idata$5p Ì.rdata<¡ô.rdata$zzzdbg0¢<.idata$2l¢.idata$3€¢p.idata$4ð¢Â.idata$6°pŸ.datapOX.bss`.xyzÄ¢†£D ¤¢¤$ €¢¤¤ \¤’¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.££ £ú¢ BitBlt(CreateDIBitmap3CreateFontWECreateSolidBrushªGetDeviceCapsÔGetPixelåGetTextColor.SelectObject/SelectPaletteNSetPixelgdi32.dllcCreateDialogParamWnCreateWindowExWœDefWindowProcW'GetDlgItemÎIsDlgButtonCheckedïLoadImageW÷LoadMenuWUSER32.dllžFreeLibraryÉGetCommandLineAÊGetCommandLineW6GetFileAttributesWQGetLastErrorUGetLocaleInfoWeGetModuleHandleAžGetProcAddressKERNEL32.dll
base_address: 0x000ca000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000cb000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer: T0…MªXjå O»ª™WÇFâO¥ì“¥3ãÅÀÍÂaÜ`-=ßdž~!¹ŽÌB'•Ã[ƒëރ€A^eÄçÀQ÷Šhθžä%þ›»U[·Òn0 QoÈGè×êÌdØwÑ'IöÕž{¿¾{+n~ßÙØ3'd&I!¯(2úï@Ì°'Ö’{ x³ƒ±m¿··Ö§Ú>þ²‰=¿Væó1΀"«ôvE àtŒ²?JµawŒH’ŒÄN »»&¹<0û£f<ÏáEa3€:䚑- ³DGúTI TÖc]¯ü7šaÕ(zÔò@-&Xé] X×·8`vƈyþƒ“|÷t¢ÏK‹‹4o÷vÀ^ïr– I:$Š.EôO ÝÙÛ¥h¢¾.§¸Èˆ4¾"iNgÙW’Ž‰ Ò 1tÆMÃ>¥/Æ&2½·|Z(œ›øq[CM ,Æ\6Llq#H‡žÎF6gSôƒ7Ê{Ö+Ž‹EÎ×`‘ˆ@4Çú :6(ö(Ýô?Ç9nÑ'Ž¥û㿲1*A8;nð}­jÓ±k] ‡úT”w¾kÌ_;:Qæ›Å”*^®HþÓt¨Ašá؛£?GýÀ2ܶV;-˜ÍUÂ+êÊÓO™d˜U½$',tÊ•¥N?/ꭔõ3ÿd9¤¢žT‘ å*€ L¯¦>ÐUŘbÜÁ5Ž(ÊHëšßâ£ÃP„~ñYsW‹… b\d¥6Þnâlî2rD <î8ãHWðï«®_>[­Ö›úB¥Gâmåêå‡ÑoG'î’j !‚ DJ·ÉQôLWyí`±†¨ÿ®˜‘jŸô tb¡@ý®*(}*v*Cûƒè4û£+<ú&XOvï ì#¶üì"œùÀ)i³nÌa °ÕC‚#‘š¤©5ç øhCäÉr¡P^Ùîäk¦Öö·ï9¾=—¥±:Q“«g$òc­D‰ìdÓ'™½ ÞÍx}÷°að«}B–¢€$g{Y>aclr9ÿ*%äÓ÷Ù  4­8EÐÿ¶ø¡ÊÀSGärXJлºúb{Ÿ´Òº%‘TrЩ¶ˆølúÆúƒ{×ÍÔµ±``ì¹´|æÿC(ò;>³­¢†X½a±±>­ð‚F®Ïã[ŠJ g‘9|ُ‡y´ê þù‰Ü„7ÊiOêÂ:Þ áˆŸû?Ø>F–V1J[w)8‚EÞø¾ÈGš¬ T•ÅQyÿ+? @*93Èw*ѵFùñðPTË©ì+d¦¬SasF©¹9;ã6Ç!ã áÚ¡g„*Y }¶uÛïµ¢Lˆ³Ã~KtUÝø…X›MÏT4ûº%`çÇ]dê6 c5už›ŽWô¶1ï6äê£(‚n‚P‰®YRž­¸l|pv•âÙZ/e¸L–ù_`j²•õ-~]çxµ^ôÈÃØì@½#t®á:ÄÒÝáí.¥^*ؤ+ 2˜PØ^Ïtv‹Ïލ`â`EÄÖÕà[_Íç%ÁVŒQ äõÀæ÷, ®‡ÁÓ¢²KÌWՐ·³I$éߘ@k~۞f[!¨ œúŸv;JS¨ï¥¹Ù)8§_á{\&…â–¢Öˆf5ÒCé0xCÅmñ£ “ïÖz ²§L¿À_”Žsd49æcô¬½áF>]Î'kUëPœð*’@O4Ê{èF¤*º•Qb›Z š¿„³Ž“ÁçŏÕ+‹ö둚ã5=“䈔9]ê|ÃÀ̈́Ôe«1¥ãZIºzBï*\²þÅí'%¡ÐàɒQ¢Úï]¬Èd.áBh—88Àë[Ò}Ûp–-Íjf¿³d…lƐuøXׇ üZ„[ÓT_é3¶“¾cŽš d[Œõ›\®z€Ïq¨Ñä*ÞE Ïl€e¡­-YE0ƶjSXÝ»oÇ üýO³?©ˆóÔn/Qyü/Gw}½k >Ô¢ ”ÂÁN·³6cHö–ï2ÆöX*KƒP­„îBž~“4ŸJP;7HÿSTî |Ì䎯,X¢IÑMX‡5éA ™Mxt4ÄÚé/­GòT°?O¬2ƒRÖv BèÐIô㘴Ämƒù0¤¸ûÁÑ!ˆçþoà]î«ïR¤ ÜtÕX¾¼…ÓôØæj ÕIâ¤H $KeÇןߦ@Pò«'¸~qÄb¯õÌxª»?›aÍ }ØE Aq¾9¢ª0b׏´¦ÔÚ3Î 1„îÒmÔÏfà{¾ÏV,@´&™È5B©\&Ìù¤ýHžýÈ ®¿>œ†ƒtŒ–ö´”ÎTüžI·néeÂ(e¸@}”,çù¡y:rÃDÆo5Ì÷Tõ´1ˆåšÁ>¶#RÉQ×Ԃ-x­½ø¢„óCò ìܧݱUAÀ¡Ljœf€\M„Áîq¨NÙÍîóãµi-{ ûûÞéÔbøO­ÁKû[6Óð·ùÈ3ìîäÇ&ñ,#vò ×û0öçãV†õÙ8„Øø»C  °>°äÙ×}MÈ¼Û €ƒ’SJʈs“ÒÜ¢šQ¤wC.^yéEÊõÄv»\xãìç1Xžà9¹Y©ž3D>H„ÒÒÈ÷¥ MæÓnfý’Ä«7ò…ªÓ8 ©.4 +(8#Õm„(zkÞ2Õ/&ð숳hZÖw yñ <ä_âZ؈¤C0ͯ:w0©5vùúˆöeÉÐtRð+z‡?çÝ8$ RÖÓj¿­·ÝØ $Ü׏٫œxBüÒÞ,ïâdSíܨÔ C8çsž·Mʅ¸24µó³ËHRiÈJ&JNfè<Gjûsw ©CŒóMâ´CõćR&S° ֙ôÂ?–1ÎJ0W"°¨°ûÏ*™`&w.–§Þñé@¢¾×UŽyõºvïå°?br1«oXŸ†‰°R@rËß%&D^§c‚¹È{Dâ^u¨ý× ÂPRÒ=å؋ì­›qu›}ç;˪_0~XŒÎ°¹«®÷(^…Ï€ ¿Ù&ùñâï‰Ü¦Ie9¾®~øvºöÑcüxUrB«Øj ©Zð|RÅ[(ÿeÿJǵéÒÕØØO:Փɷre„@ÖQ¸Ú[,ü'üÛ¶ Ü:•¯m² ÉM‡xA½YðÐßúœhz¼¥¨ÉžñëƒgêTº(ÅOÛŗÕY†‰—KSOg´C¼¹;‰M!Œn¸Ô§ Ғ(ÇP€³hDlagÒ.pÙPá¯)ŽÿücëðŠÐß‹y@ÎN¸Z,'“äö0±\í6 _ÄŽJ>¾vW_< _§q‡Ô™bY&Ìx«–j.7lî¿]ÝCìÄXˆ5¦ A0ÓjVrý^57©Ð‚ÙW7{ŪxÏ; î1sđ£šO½¾Ä½XèBÝ…§¾œ? n»q$*fºTxøÛ,?®°XÃ]o)ȹü™ ì«^_à86F5Z5\ŠïÏP*CŽ>èeî ¿Õ´ãrÀ4J¨lý´´óÏ<ˆÚ°³;ÃñLci ۀÔלñ*€:Õ¦`?ÄxùÀ9þ1Pˆ]Hûê;7ƒÖÝïÁ¹¶œ3ڔvۚ(Š¶ýâJ@8µJŽO+ð´ }ÓoViR¦íb˼Çëf5WñxÃKG1å–S,ûÎVžª‡ ž "+’>¿Éf^¶c04=È´¦£ötnpII°¿?áñ”Ý3Ü{è&žÉÖ«ÑØÄ(ÂsI»b­„΍IÞeYäN§˜.$ 5{hdZð£rYÑÍ/&ʞ~.ƒPX¶º%8Í3Texñ-¤–4½+ 1˅ýfY)þ¨x+'A¾‘4ª÷KŸ ]÷¯WšêG1â(‘E:è`¦¸Þ”âK ¼¿Ý ü¥ŽÈÙÄÉ&¬!bg¶n¾”ß5 ÏIDܶ.À²ÑÇuP·^`‚f«Í>ƒ×c†^œ,ÀSn<†‡Z&“e€¿°‚DŠyê‡#o¢^3ÛIc
base_address: 0x000d6000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000d7000
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x7efde008
process_identifier: 2848
process_handle: 0x0000032c
1 1 0

CreateProcessInternalW

 thread_identifier: 2896
thread_handle: 0x00000358
process_identifier: 2892
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000035c
1 1 0

NtGetContextThread

 thread_handle: 0x00000358
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2892
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000035c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL±!cà  „Æo” @€´j@@0¢PpÌ ¡ p.textF}~ `.itexti‚ `.rdata² ˆ@@.dataÈ­° Ž@À.pdatañ ` .@À.relocÌp:@B
base_address: 0x00400000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer: ÃU‹ìSVW‹u ‹}»­ÈÁÈ ‹Ð÷Ò­ÁÀ È3«­ÁÀ ȋÐ÷Ò«­ÁÀÈ3‹Ð÷Ò«ÁÀ3«wðK…ÛuÇ_^[]@U‹ìSVW¸üýþÿ¹@‹]‰D‹ü-Iuô‹} ¾@3ÛU‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]3ɋ}¾ U‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]3ɋ} ¾@U‹m‹Á3Ò÷öŠÁŠTӊ\ŠT†TˆTAùuÖ]‹Ã_^[] U‹ìSVW3À‹]3É3ҋu ‹}…öt3U‹mŠT ӊ\ŠTŠTþŠD0ŠT†T ˆTþÁGN…öuÒ]_^[]fff„è€ûÿÿff„è ÏþÿfDèÆÿÿff„è ßÿÿf„jÿÈUBDèdøÿÿèeøÿÿèHøÿÿèIøÿÿèbøÿÿèWøÿÿè@øÿÿèYøÿÿèBøÿÿè=øÿÿè øÿÿèñ÷ÿÿè øÿÿèí÷ÿÿèøÿÿèøÿÿèä÷ÿÿè÷÷ÿÿèæ÷ÿÿèÛ÷ÿÿèâ÷ÿÿè3ãÿÿè@ãÿÿèMãÿÿè*ãÿÿè7ãÿÿè,ãÿÿèEãÿÿè ãÿÿè5ãÿÿè$ãÿÿèãÿÿèãÿÿèãÿÿ
base_address: 0x00419000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer: \¤’¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.££ £ú¢±!c ô<¡<‰ì|.textìŒZ.text$mni.itext p.idata$5p Ì.rdata<¡ô.rdata$zzzdbg0¢<.idata$2l¢.idata$3€¢p.idata$4ð¢Â.idata$6°pŸ.datapOX.bss`.xyzÄ¢†£D ¤¢¤$ €¢¤¤ \¤’¤~¤l¤¤F¤4¤"¤ü£î££¦£¸£Ê£Ø£z£>£j£Z£J£ð¢.££ £ú¢ BitBlt(CreateDIBitmap3CreateFontWECreateSolidBrushªGetDeviceCapsÔGetPixelåGetTextColor.SelectObject/SelectPaletteNSetPixelgdi32.dllcCreateDialogParamWnCreateWindowExWœDefWindowProcW'GetDlgItemÎIsDlgButtonCheckedïLoadImageW÷LoadMenuWUSER32.dllžFreeLibraryÉGetCommandLineAÊGetCommandLineW6GetFileAttributesWQGetLastErrorUGetLocaleInfoWeGetModuleHandleAžGetProcAddressKERNEL32.dll
base_address: 0x0041a000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041b000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer: T0…MªXjå O»ª™WÇFâO¥ì“¥3ãÅÀÍÂaÜ`-=ßdž~!¹ŽÌB'•Ã[ƒëރ€A^eÄçÀQ÷Šhθžä%þ›»U[·Òn0 QoÈGè×êÌdØwÑ'IöÕž{¿¾{+n~ßÙØ3'd&I!¯(2úï@Ì°'Ö’{ x³ƒ±m¿··Ö§Ú>þ²‰=¿Væó1΀"«ôvE àtŒ²?JµawŒH’ŒÄN »»&¹<0û£f<ÏáEa3€:䚑- ³DGúTI TÖc]¯ü7šaÕ(zÔò@-&Xé] X×·8`vƈyþƒ“|÷t¢ÏK‹‹4o÷vÀ^ïr– I:$Š.EôO ÝÙÛ¥h¢¾.§¸Èˆ4¾"iNgÙW’Ž‰ Ò 1tÆMÃ>¥/Æ&2½·|Z(œ›øq[CM ,Æ\6Llq#H‡žÎF6gSôƒ7Ê{Ö+Ž‹EÎ×`‘ˆ@4Çú :6(ö(Ýô?Ç9nÑ'Ž¥û㿲1*A8;nð}­jÓ±k] ‡úT”w¾kÌ_;:Qæ›Å”*^®HþÓt¨Ašá؛£?GýÀ2ܶV;-˜ÍUÂ+êÊÓO™d˜U½$',tÊ•¥N?/ꭔõ3ÿd9¤¢žT‘ å*€ L¯¦>ÐUŘbÜÁ5Ž(ÊHëšßâ£ÃP„~ñYsW‹… b\d¥6Þnâlî2rD <î8ãHWðï«®_>[­Ö›úB¥Gâmåêå‡ÑoG'î’j !‚ DJ·ÉQôLWyí`±†¨ÿ®˜‘jŸô tb¡@ý®*(}*v*Cûƒè4û£+<ú&XOvï ì#¶üì"œùÀ)i³nÌa °ÕC‚#‘š¤©5ç øhCäÉr¡P^Ùîäk¦Öö·ï9¾=—¥±:Q“«g$òc­D‰ìdÓ'™½ ÞÍx}÷°að«}B–¢€$g{Y>aclr9ÿ*%äÓ÷Ù  4­8EÐÿ¶ø¡ÊÀSGärXJлºúb{Ÿ´Òº%‘TrЩ¶ˆølúÆúƒ{×ÍÔµ±``ì¹´|æÿC(ò;>³­¢†X½a±±>­ð‚F®Ïã[ŠJ g‘9|ُ‡y´ê þù‰Ü„7ÊiOêÂ:Þ áˆŸû?Ø>F–V1J[w)8‚EÞø¾ÈGš¬ T•ÅQyÿ+? @*93Èw*ѵFùñðPTË©ì+d¦¬SasF©¹9;ã6Ç!ã áÚ¡g„*Y }¶uÛïµ¢Lˆ³Ã~KtUÝø…X›MÏT4ûº%`çÇ]dê6 c5už›ŽWô¶1ï6äê£(‚n‚P‰®YRž­¸l|pv•âÙZ/e¸L–ù_`j²•õ-~]çxµ^ôÈÃØì@½#t®á:ÄÒÝáí.¥^*ؤ+ 2˜PØ^Ïtv‹Ïލ`â`EÄÖÕà[_Íç%ÁVŒQ äõÀæ÷, ®‡ÁÓ¢²KÌWՐ·³I$éߘ@k~۞f[!¨ œúŸv;JS¨ï¥¹Ù)8§_á{\&…â–¢Öˆf5ÒCé0xCÅmñ£ “ïÖz ²§L¿À_”Žsd49æcô¬½áF>]Î'kUëPœð*’@O4Ê{èF¤*º•Qb›Z š¿„³Ž“ÁçŏÕ+‹ö둚ã5=“䈔9]ê|ÃÀ̈́Ôe«1¥ãZIºzBï*\²þÅí'%¡ÐàɒQ¢Úï]¬Èd.áBh—88Àë[Ò}Ûp–-Íjf¿³d…lƐuøXׇ üZ„[ÓT_é3¶“¾cŽš d[Œõ›\®z€Ïq¨Ñä*ÞE Ïl€e¡­-YE0ƶjSXÝ»oÇ üýO³?©ˆóÔn/Qyü/Gw}½k >Ô¢ ”ÂÁN·³6cHö–ï2ÆöX*KƒP­„îBž~“4ŸJP;7HÿSTî |Ì䎯,X¢IÑMX‡5éA ™Mxt4ÄÚé/­GòT°?O¬2ƒRÖv BèÐIô㘴Ämƒù0¤¸ûÁÑ!ˆçþoà]î«ïR¤ ÜtÕX¾¼…ÓôØæj ÕIâ¤H $KeÇןߦ@Pò«'¸~qÄb¯õÌxª»?›aÍ }ØE Aq¾9¢ª0b׏´¦ÔÚ3Î 1„îÒmÔÏfà{¾ÏV,@´&™È5B©\&Ìù¤ýHžýÈ ®¿>œ†ƒtŒ–ö´”ÎTüžI·néeÂ(e¸@}”,çù¡y:rÃDÆo5Ì÷Tõ´1ˆåšÁ>¶#RÉQ×Ԃ-x­½ø¢„óCò ìܧݱUAÀ¡Ljœf€\M„Áîq¨NÙÍîóãµi-{ ûûÞéÔbøO­ÁKû[6Óð·ùÈ3ìîäÇ&ñ,#vò ×û0öçãV†õÙ8„Øø»C  °>°äÙ×}MÈ¼Û €ƒ’SJʈs“ÒÜ¢šQ¤wC.^yéEÊõÄv»\xãìç1Xžà9¹Y©ž3D>H„ÒÒÈ÷¥ MæÓnfý’Ä«7ò…ªÓ8 ©.4 +(8#Õm„(zkÞ2Õ/&ð숳hZÖw yñ <ä_âZ؈¤C0ͯ:w0©5vùúˆöeÉÐtRð+z‡?çÝ8$ RÖÓj¿­·ÝØ $Ü׏٫œxBüÒÞ,ïâdSíܨÔ C8çsž·Mʅ¸24µó³ËHRiÈJ&JNfè<Gjûsw ©CŒóMâ´CõćR&S° ֙ôÂ?–1ÎJ0W"°¨°ûÏ*™`&w.–§Þñé@¢¾×UŽyõºvïå°?br1«oXŸ†‰°R@rËß%&D^§c‚¹È{Dâ^u¨ý× ÂPRÒ=å؋ì­›qu›}ç;˪_0~XŒÎ°¹«®÷(^…Ï€ ¿Ù&ùñâï‰Ü¦Ie9¾®~øvºöÑcüxUrB«Øj ©Zð|RÅ[(ÿeÿJǵéÒÕØØO:Փɷre„@ÖQ¸Ú[,ü'üÛ¶ Ü:•¯m² ÉM‡xA½YðÐßúœhz¼¥¨ÉžñëƒgêTº(ÅOÛŗÕY†‰—KSOg´C¼¹;‰M!Œn¸Ô§ Ғ(ÇP€³hDlagÒ.pÙPá¯)ŽÿücëðŠÐß‹y@ÎN¸Z,'“äö0±\í6 _ÄŽJ>¾vW_< _§q‡Ô™bY&Ìx«–j.7lî¿]ÝCìÄXˆ5¦ A0ÓjVrý^57©Ð‚ÙW7{ŪxÏ; î1sđ£šO½¾Ä½XèBÝ…§¾œ? n»q$*fºTxøÛ,?®°XÃ]o)ȹü™ ì«^_à86F5Z5\ŠïÏP*CŽ>èeî ¿Õ´ãrÀ4J¨lý´´óÏ<ˆÚ°³;ÃñLci ۀÔלñ*€:Õ¦`?ÄxùÀ9þ1Pˆ]Hûê;7ƒÖÝïÁ¹¶œ3ڔvۚ(Š¶ýâJ@8µJŽO+ð´ }ÓoViR¦íb˼Çëf5WñxÃKG1å–S,ûÎVžª‡ ž "+’>¿Éf^¶c04=È´¦£ötnpII°¿?áñ”Ý3Ü{è&žÉÖ«ÑØÄ(ÂsI»b­„΍IÞeYäN§˜.$ 5{hdZð£rYÑÍ/&ʞ~.ƒPX¶º%8Í3Texñ-¤–4½+ 1˅ýfY)þ¨x+'A¾‘4ª÷KŸ ]÷¯WšêG1â(‘E:è`¦¸Þ”âK ¼¿Ý ü¥ŽÈÙÄÉ&¬!bg¶n¾”ß5 ÏIDܶ.À²ÑÇuP·^`‚f«Í>ƒ×c†^œ,ÀSn<†‡Z&“e€¿°‚DŠyê‡#o¢^3ÛIc
base_address: 0x00426000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00427000
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2892
process_handle: 0x0000035c
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4297839
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000358
process_identifier: 2892
1 0 0

NtResumeThread

 thread_handle: 0x00000358
suspend_count: 1
process_identifier: 2892
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2636
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2636
1 0 0

NtResumeThread

 thread_handle: 0x000001c0
suspend_count: 1
process_identifier: 2636
1 0 0

NtResumeThread

 thread_handle: 0x000002c8
suspend_count: 1
process_identifier: 2636
1 0 0