Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 14, 2021, 8:55 a.m.	July 14, 2021, 9:16 a.m.

Size	862.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e6a9ebd149db011d65fc795e0139f10c`
SHA256	`4e46927fca13b53697d0a5c5257df1075af4e356f2f48ac518768793051f317b`
CRC32	`7DC2B4D8`
ssdeep	`12288:xXN5GnTOdU+CHpZgQzI4HM8se/Exh0x/1KmnDvrLkEMvfGbs5frPkxyQxpJrEmyV:18QA/DvcEgfGbUbk4Q5EmPFaL5`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals

aa.exe "C:\Users\test22\AppData\Local\Temp\aa.exe"
2428

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 14, 2021, 8:55 a.m.			0	0
IsDebuggerPresent July 14, 2021, 8:55 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey July 14, 2021, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009d6480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 14, 2021, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009d6480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 14, 2021, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x009d6480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 14, 2021, 8:55 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 14, 2021, 8:55 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x74231194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x74102ba1 mscorlib+0x2f45b0 @ 0x727f45b0 mscorlib+0x2f46fc @ 0x727f46fc mscorlib+0x2f4688 @ 0x727f4688 0x6e2d5f 0x6e0af5 0x6e09c9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x740a70df LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x740f412e mscorlib+0x2f1c22 @ 0x727f1c22 mscorlib+0x2f1b99 @ 0x727f1b99 mscorlib+0x30e9a6 @ 0x7280e9a6 0x6e073f 0x6e04b9 0x6e03cd microsoft+0x129ed1 @ 0x73e69ed1 microsoft+0x12ad86 @ 0x73e6ad86 microsoft+0x12b191 @ 0x73e6b191 0x6e00bd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x75f4b727 registers.esp: 6022416 registers.edi: 0 registers.eax: 6022416 registers.ebp: 6022496 registers.edx: 0 registers.ebx: 10448136 registers.esi: 10116976 registers.ecx: 2850217398	1	0	0
__exception__ July 14, 2021, 8:55 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x74231194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x74102ba1 mscorlib+0x2f45a5 @ 0x727f45a5 mscorlib+0x2f46fc @ 0x727f46fc mscorlib+0x2f4688 @ 0x727f4688 0x6e2d5f 0x6e0af5 0x6e09c9 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x740a70df LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x740f412e mscorlib+0x2f1c22 @ 0x727f1c22 mscorlib+0x2f1b99 @ 0x727f1b99 mscorlib+0x30e9a6 @ 0x7280e9a6 0x6e073f 0x6e04b9 0x6e03cd microsoft+0x129ed1 @ 0x73e69ed1 microsoft+0x12ad86 @ 0x73e6ad86 microsoft+0x12b191 @ 0x73e6b191 0x6e00bd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x75f4b727 registers.esp: 6022416 registers.edi: 0 registers.eax: 6022416 registers.ebp: 6022496 registers.edx: 0 registers.ebx: 10448136 registers.esi: 10116976 registers.ecx: 2850217398	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 14, 2021, 8:55 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x74231194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x74102ba1
mscorlib+0x2f45b0 @ 0x727f45b0
mscorlib+0x2f46fc @ 0x727f46fc
mscorlib+0x2f4688 @ 0x727f4688
0x6e2d5f
0x6e0af5
0x6e09c9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95
CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x740a70df
LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x740f412e
mscorlib+0x2f1c22 @ 0x727f1c22
mscorlib+0x2f1b99 @ 0x727f1b99
mscorlib+0x30e9a6 @ 0x7280e9a6
0x6e073f
0x6e04b9
0x6e03cd
microsoft+0x129ed1 @ 0x73e69ed1
microsoft+0x12ad86 @ 0x73e6ad86
microsoft+0x12b191 @ 0x73e6b191
0x6e00bd
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x75f4b727
registers.esp: 6022416
registers.edi: 0
registers.eax: 6022416
registers.ebp: 6022496
registers.edx: 0
registers.ebx: 10448136
registers.esi: 10116976
registers.ecx: 2850217398

__exception__

July 14, 2021, 8:55 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x74231194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x74102ba1
mscorlib+0x2f45a5 @ 0x727f45a5
mscorlib+0x2f46fc @ 0x727f46fc
mscorlib+0x2f4688 @ 0x727f4688
0x6e2d5f
0x6e0af5
0x6e09c9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95
CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x740a70df
LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x740f412e
mscorlib+0x2f1c22 @ 0x727f1c22
mscorlib+0x2f1b99 @ 0x727f1b99
mscorlib+0x30e9a6 @ 0x7280e9a6
0x6e073f
0x6e04b9
0x6e03cd
microsoft+0x129ed1 @ 0x73e69ed1
microsoft+0x12ad86 @ 0x73e6ad86
microsoft+0x12b191 @ 0x73e6b191
0x6e00bd
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

Allocates read-write-execute memory (usually to unpack itself) (37 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74081000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74082000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00282000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0028a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70522000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:55 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0028c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2428 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000d2e00', u'virtual_address': u'0x00002000', u'entropy': 7.418591809259636, u'name': u'.text', u'virtual_size': u'0x000d2d90'}

entropy

7.41859180926

description

A section with a high entropy has been found

entropy

0.978538283063

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 14, 2021, 8:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (10 events)

Time & API	Arguments	Status
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 2916 process_handle: 0x0000027c
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 2916 process_handle: 0x0000027c	1
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 2952 process_handle: 0x00000288
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 2952 process_handle: 0x00000288	1
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 2988 process_handle: 0x00000290
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 2988 process_handle: 0x00000290	1
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 3024 process_handle: 0x00000298
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 3024 process_handle: 0x00000298	1
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 3060 process_handle: 0x000002a0
NtTerminateProcess July 14, 2021, 8:56 a.m.	status_code: 0xffffffff process_identifier: 3060 process_handle: 0x000002a0	1

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2916 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	3221225496
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2952 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280	3221225496
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2988 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000284	3221225496
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 3024 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c	3221225496
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 3060 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	3221225496

Manipulates memory of a non-child process indicative of process injection (10 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2428 manipulating memory of non-child process 2916
Process injection	Process 2428 manipulating memory of non-child process 2952
Process injection	Process 2428 manipulating memory of non-child process 2988
Process injection	Process 2428 manipulating memory of non-child process 3024
Process injection	Process 2428 manipulating memory of non-child process 3060
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2916 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	3221225496	0
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2952 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280	3221225496	0
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2988 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000284	3221225496	0
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 3024 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c	3221225496	0
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 3060 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000294	3221225496	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.559960
FireEye	Generic.mg.e6a9ebd149db011d
Cylance	Unsafe
Alibaba	TrojanSpy:Application/Generic.823d5138
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/MSIL_Kryptik.EUD.gen!Eldorado
ESET-NOD32	a variant of MSIL/Kryptik.ABXY
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Taskun-9874486-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Bulz.559960
Avast	Win32:PWSX-gen [Trj]
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=87)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:MSIL/NanoBot.D!MTB
GData	Gen:Variant.Bulz.559960
Cynet	Malicious (score: 100)
McAfee	PWS-FCUC!E6A9EBD149DB
Malwarebytes	Malware.AI.4214092074
Ikarus	Trojan-Spy.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.DLO!tr
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.cc0a19
Qihoo-360	HEUR/QVM03.0.9047.Malware.Gen

Executed a process and injected code into it, probably while unpacking (50 out of 51 events)

Time & API	Arguments	Status	Return
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x00000254 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread July 14, 2021, 8:55 a.m.	registers.eip: 1947216772 registers.esp: 6022624 registers.edi: 128913232 registers.eax: 4259905 registers.ebp: 6022628 registers.edx: 128999232 registers.ebx: 49237 registers.esi: 6237 registers.ecx: 129097720 thread_handle: 0x000000e0 process_identifier: 2428	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread July 14, 2021, 8:55 a.m.	registers.eip: 1947216772 registers.esp: 6022624 registers.edi: 133871232 registers.eax: 3407972 registers.ebp: 6022628 registers.edx: 133882688 registers.ebx: 61016 registers.esi: 55288 registers.ecx: 134004736 thread_handle: 0x000000e0 process_identifier: 2428	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 14, 2021, 8:55 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
NtResumeThread July 14, 2021, 8:56 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2428	1	0
NtGetContextThread July 14, 2021, 8:56 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 14, 2021, 8:56 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 14, 2021, 8:56 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2428	1	0
CreateProcessInternalW July 14, 2021, 8:56 a.m.	thread_identifier: 2920 thread_handle: 0x00000268 process_identifier: 2916 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\aa.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\aa.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000026c	1	1
NtGetContextThread July 14, 2021, 8:56 a.m.	thread_handle: 0x00000268	1	0
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2916 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c		3221225496
CreateProcessInternalW July 14, 2021, 8:56 a.m.	thread_identifier: 2956 thread_handle: 0x0000027c process_identifier: 2952 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\aa.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\aa.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000280	1	1
NtGetContextThread July 14, 2021, 8:56 a.m.	thread_handle: 0x0000027c	1	0
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2952 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280		3221225496
CreateProcessInternalW July 14, 2021, 8:56 a.m.	thread_identifier: 2992 thread_handle: 0x00000288 process_identifier: 2988 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\aa.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\aa.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000284	1	1
NtGetContextThread July 14, 2021, 8:56 a.m.	thread_handle: 0x00000288	1	0
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 2988 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000284		3221225496
CreateProcessInternalW July 14, 2021, 8:56 a.m.	thread_identifier: 3028 thread_handle: 0x00000290 process_identifier: 3024 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\aa.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\aa.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtGetContextThread July 14, 2021, 8:56 a.m.	thread_handle: 0x00000290	1	0
NtAllocateVirtualMemory July 14, 2021, 8:56 a.m.	process_identifier: 3024 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496
CreateProcessInternalW July 14, 2021, 8:56 a.m.	thread_identifier: 3064 thread_handle: 0x00000298 process_identifier: 3060 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\aa.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\aa.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000294	1	1
NtGetContextThread July 14, 2021, 8:56 a.m.	thread_handle: 0x00000298	1	0

aa.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All