Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 10:49 p.m.	June 24, 2021, 10:56 p.m.

Size	11.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`cbbcb18ebc303444c72e1f1a3eed22c6`
SHA256	`3f3b3d25afd26aa1c4483f0437c192a7374f85bdcf0d52be8f4ba6bd63b09cd1`
CRC32	`51643A61`
ssdeep	`6144:PNoP3eJAtq+tL3BwV7erhE2g9PBJk5p0YyZVr0DkZmb+WtRGMRfrhoZqKwwY0NxK:2`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

lk.exe "C:\Users\test22\AppData\Local\Temp\lk.exe"
2948
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
  1836
  - timeout.exe timeout 1
    1976

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
3.142.81.166	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 10:49 p.m.			0	0
IsDebuggerPresent June 24, 2021, 10:49 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 24, 2021, 10:49 p.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1	0
WriteConsoleW June 24, 2021, 10:49 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x01188040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x01187d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2021, 10:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x01187d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 10:49 p.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ June 24, 2021, 10:49 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x2f45a5 @ 0x6ff345a5 mscorlib+0x30a2fa @ 0x6ff4a2fa microsoft+0x54d57 @ 0x722c4d57 microsoft+0x54b2d @ 0x722c4b2d 0x13000fe 0x1300071 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 16968896 registers.edi: 0 registers.eax: 16968896 registers.ebp: 16968976 registers.edx: 0 registers.ebx: 18343400 registers.esi: 18176088 registers.ecx: 2399827143	1
__exception__ June 24, 2021, 10:49 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x2f45d1 @ 0x6ff345d1 mscorlib+0x30a2fa @ 0x6ff4a2fa microsoft+0x54d57 @ 0x722c4d57 microsoft+0x54b2d @ 0x722c4b2d 0x13000fe 0x1300071 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 16968896 registers.edi: 0 registers.eax: 16968896 registers.ebp: 16968976 registers.edx: 0 registers.ebx: 18343400 registers.esi: 18176088 registers.ecx: 2399827143	1
__exception__ June 24, 2021, 10:49 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x2f45aa @ 0x6ff345aa mscorlib+0x30a2fa @ 0x6ff4a2fa microsoft+0x54d57 @ 0x722c4d57 microsoft+0x54b2d @ 0x722c4b2d 0x13000fe 0x1300071 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 16968896 registers.edi: 0 registers.eax: 16968896 registers.ebp: 16968976 registers.edx: 0 registers.ebx: 18343400 registers.esi: 18176088 registers.ecx: 2399827143	1
__exception__ June 24, 2021, 10:49 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x2f45a5 @ 0x6ff345a5 mscorlib+0x30a2fa @ 0x6ff4a2fa microsoft+0x54d57 @ 0x722c4d57 microsoft+0x54b2d @ 0x722c4b2d 0x13000fe 0x1300071 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 16968896 registers.edi: 0 registers.eax: 16968896 registers.ebp: 16968976 registers.edx: 0 registers.ebx: 18343400 registers.esi: 18176088 registers.ecx: 2399827143	1

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01301000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01302000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01303000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01304000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01305000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	cmd.exe /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 24, 2021, 10:49 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 24, 2021, 10:49 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (50 out of 6494 events)

Time & API	Arguments	Status
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2112 process_handle: 0x000003a8
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2112 process_handle: 0x000003a8	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 668 process_handle: 0x000003b0
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 668 process_handle: 0x000003b0	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2720 process_handle: 0x000003b8
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2720 process_handle: 0x000003b8	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1348 process_handle: 0x000003c0
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1348 process_handle: 0x000003c0	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1340 process_handle: 0x000003c8
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1340 process_handle: 0x000003c8	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2368 process_handle: 0x000003d0
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2368 process_handle: 0x000003d0	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2976 process_handle: 0x000003d8
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2976 process_handle: 0x000003d8	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2728 process_handle: 0x000003e0
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2728 process_handle: 0x000003e0	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2776 process_handle: 0x000003e8
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2776 process_handle: 0x000003e8	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1204 process_handle: 0x000003f0
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1204 process_handle: 0x000003f0	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2388 process_handle: 0x000003f8
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2388 process_handle: 0x000003f8	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1556 process_handle: 0x00000404
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1556 process_handle: 0x00000404	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1812 process_handle: 0x0000040c
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1812 process_handle: 0x0000040c	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2276 process_handle: 0x00000414
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2276 process_handle: 0x00000414	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2772 process_handle: 0x0000041c
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2772 process_handle: 0x0000041c	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 260 process_handle: 0x00000424
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 260 process_handle: 0x00000424	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 200 process_handle: 0x0000042c
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 200 process_handle: 0x0000042c	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1912 process_handle: 0x00000434
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1912 process_handle: 0x00000434	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1456 process_handle: 0x0000043c
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 1456 process_handle: 0x0000043c	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2908 process_handle: 0x00000444
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2908 process_handle: 0x00000444	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2324 process_handle: 0x0000044c
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2324 process_handle: 0x0000044c	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2312 process_handle: 0x00000454
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2312 process_handle: 0x00000454	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2420 process_handle: 0x0000045c
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 2420 process_handle: 0x0000045c	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 732 process_handle: 0x00000464
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 732 process_handle: 0x00000464	1
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 584 process_handle: 0x0000046c
NtTerminateProcess June 24, 2021, 10:49 p.m.	status_code: 0xffffffff process_identifier: 584 process_handle: 0x0000046c	1

Communicates with host for which no DNS query was performed (1 event)

host

3.142.81.166

Allocates execute permission to another process indicative of possible code injection (50 out of 3248 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2112 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 668 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a4	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2720 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ac	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1348 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b4	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1340 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003bc	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2368 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c4	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2976 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2728 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d4	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2776 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003dc	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1204 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2388 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1556 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f4	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1812 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003fc	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2276 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000408	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2772 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000410	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 260 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000418	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 200 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000420	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1912 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000428	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1456 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000430	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2908 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000438	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2324 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000440	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2312 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000448	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2420 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000450	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 732 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000458	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 584 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000460	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2448 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000468	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2356 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000470	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2532 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000478	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2412 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000480	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2416 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000488	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3100 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000490	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3136 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000498	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3172 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a0	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3208 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3244 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b0	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3280 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b8	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3316 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004c0	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3352 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004c8	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3388 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004d0	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3424 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004d8	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3460 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004e0	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3496 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004e8	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3532 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f0	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3568 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004f8	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3604 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000500	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3640 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000508	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3676 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000510	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3712 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000518	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3748 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	3221225496
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 3784 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000528	3221225496

Manipulates memory of a non-child process indicative of process injection (50 out of 6496 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2948 manipulating memory of non-child process 2112
Process injection	Process 2948 manipulating memory of non-child process 668
Process injection	Process 2948 manipulating memory of non-child process 2720
Process injection	Process 2948 manipulating memory of non-child process 1348
Process injection	Process 2948 manipulating memory of non-child process 1340
Process injection	Process 2948 manipulating memory of non-child process 2368
Process injection	Process 2948 manipulating memory of non-child process 2976
Process injection	Process 2948 manipulating memory of non-child process 2728
Process injection	Process 2948 manipulating memory of non-child process 2776
Process injection	Process 2948 manipulating memory of non-child process 1204
Process injection	Process 2948 manipulating memory of non-child process 2388
Process injection	Process 2948 manipulating memory of non-child process 1556
Process injection	Process 2948 manipulating memory of non-child process 1812
Process injection	Process 2948 manipulating memory of non-child process 2276
Process injection	Process 2948 manipulating memory of non-child process 2772
Process injection	Process 2948 manipulating memory of non-child process 260
Process injection	Process 2948 manipulating memory of non-child process 200
Process injection	Process 2948 manipulating memory of non-child process 1912
Process injection	Process 2948 manipulating memory of non-child process 1456
Process injection	Process 2948 manipulating memory of non-child process 2908
Process injection	Process 2948 manipulating memory of non-child process 2324
Process injection	Process 2948 manipulating memory of non-child process 2312
Process injection	Process 2948 manipulating memory of non-child process 2420
Process injection	Process 2948 manipulating memory of non-child process 732
Process injection	Process 2948 manipulating memory of non-child process 584
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2112 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 668 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a4	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2720 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ac	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1348 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b4	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1340 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003bc	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2368 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c4	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2976 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2728 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d4	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2776 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003dc	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1204 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e4	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2388 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ec	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1556 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003f4	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1812 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003fc	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2276 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000408	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2772 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000410	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 260 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000418	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 200 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000420	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1912 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000428	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1456 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000430	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2908 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000438	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2324 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000440	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2312 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000448	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2420 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000450	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 732 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000458	3221225496	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 584 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000460	3221225496	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.MSILHeracles.18094
FireEye	Generic.mg.cbbcb18ebc303444
ALYac	Gen:Variant.MSILHeracles.18094
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.955d11
Arcabit	Trojan.MSILHeracles.D46AE
BitDefenderTheta	Gen:NN.ZemsilF.34758.@p1@aSz@C5ai
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.FFOF
APEX	Malicious
Avast	FileRepMalware
BitDefender	Gen:Variant.MSILHeracles.18094
Ad-Aware	Gen:Variant.MSILHeracles.18094
Emsisoft	Gen:Variant.MSILHeracles.18094 (B)
McAfee-GW-Edition	GenericRXOT-GR!CBBCB18EBC30
Ikarus	Trojan-Downloader.MSIL.Agent
MAX	malware (ai score=85)
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.MSILHeracles.18094
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4518604
McAfee	GenericRXOT-GR!CBBCB18EBC30
Malwarebytes	Trojan.Crypt.MSIL.Generic
SentinelOne	Static AI - Suspicious PE
Fortinet	MSIL/GenKryptik.FGGC!tr
Webroot	W32.Malware.Gen
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_60% (W)

Executed a process and injected code into it, probably while unpacking (50 out of 9776 events)

Time & API	Arguments	Status	Return
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread June 24, 2021, 10:49 p.m.	registers.eip: 1920740228 registers.esp: 16969104 registers.edi: 136122412 registers.eax: 7274528 registers.ebp: 16969108 registers.edx: 136146906 registers.ebx: 194252800 registers.esi: 8 registers.ecx: 194617344 thread_handle: 0x000000e4 process_identifier: 2948	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread June 24, 2021, 10:49 p.m.	registers.eip: 1920740228 registers.esp: 16969104 registers.edi: 136122532 registers.eax: 3211368 registers.ebp: 16969108 registers.edx: 136137998 registers.ebx: 211030016 registers.esi: 4 registers.ecx: 213446656 thread_handle: 0x000000e4 process_identifier: 2948	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread June 24, 2021, 10:49 p.m.	registers.eip: 1920740228 registers.esp: 16969104 registers.edi: 136122532 registers.eax: 6946868 registers.ebp: 16969108 registers.edx: 136150808 registers.ebx: 211030016 registers.esi: 19 registers.ecx: 213954556 thread_handle: 0x000000e4 process_identifier: 2948	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread June 24, 2021, 10:49 p.m.	registers.eip: 1920740228 registers.esp: 16969104 registers.edi: 136122412 registers.eax: 3407924 registers.ebp: 16969108 registers.edx: 136159944 registers.ebx: 108531712 registers.esi: 20 registers.ecx: 110702592 thread_handle: 0x000000e4 process_identifier: 2948	1	0
NtResumeThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2948	1	0
CreateProcessInternalW June 24, 2021, 10:49 p.m.	thread_identifier: 3016 thread_handle: 0x00000364 process_identifier: 1836 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000036c	1	1
CreateProcessInternalW June 24, 2021, 10:49 p.m.	thread_identifier: 2760 thread_handle: 0x0000039c process_identifier: 2112 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\lk.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\lk.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a0	1	1
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x0000039c	1	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2112 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a0		3221225496
CreateProcessInternalW June 24, 2021, 10:49 p.m.	thread_identifier: 2840 thread_handle: 0x000003a8 process_identifier: 668 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\lk.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\lk.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003a4	1	1
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000003a8	1	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 668 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a4		3221225496
CreateProcessInternalW June 24, 2021, 10:49 p.m.	thread_identifier: 1768 thread_handle: 0x000003b0 process_identifier: 2720 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\lk.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\lk.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003ac	1	1
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000003b0	1	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2720 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ac		3221225496
CreateProcessInternalW June 24, 2021, 10:49 p.m.	thread_identifier: 2716 thread_handle: 0x000003b8 process_identifier: 1348 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\lk.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\lk.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003b4	1	1
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000003b8	1	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1348 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003b4		3221225496
CreateProcessInternalW June 24, 2021, 10:49 p.m.	thread_identifier: 2036 thread_handle: 0x000003c0 process_identifier: 1340 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\lk.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\lk.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003bc	1	1
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000003c0	1	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 1340 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003bc		3221225496
CreateProcessInternalW June 24, 2021, 10:49 p.m.	thread_identifier: 2524 thread_handle: 0x000003c8 process_identifier: 2368 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\lk.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\lk.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003c4	1	1
NtGetContextThread June 24, 2021, 10:49 p.m.	thread_handle: 0x000003c8	1	0
NtAllocateVirtualMemory June 24, 2021, 10:49 p.m.	process_identifier: 2368 region_size: 4083712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c4		3221225496
CreateProcessInternalW June 24, 2021, 10:49 p.m.	thread_identifier: 2952 thread_handle: 0x000003d0 process_identifier: 2976 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\lk.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\lk.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003cc	1	1

lk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All