Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 12, 2021, 10:56 a.m.	Aug. 12, 2021, 10:58 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`586f79d31e3b60f3737c247810e56612`
SHA256	`bf6b69cb7063d748e6404300ed8b587473b20b2239605862ccbec909bccf7485`
CRC32	`4BC5B1EF`
ssdeep	`49152:V2GnkYpnt6j4Va7ep3sQDHDdtf4NN3cpbV:Vk0y4VoeN1DLfiKbV`
Yara	UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

edi.exe "C:\Users\test22\AppData\Local\Temp\edi.exe"
1768
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2232
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2792
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs"
  2116
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\outlook.exe'
    1276
- edi.exe C:\Users\test22\AppData\Local\Temp\edi.exe
  1648
  - E7nvVUkg.exe -a "C:\Users\test22\AppData\Local\9c49dd83\plg\BGBJe9Xt.json"
    1092
    - E7nvVUkg.exe -a "C:\Users\test22\AppData\Local\Temp\unk.xml"
      2504

Name	Response	Post-Analysis Lookup
dns.google	A 8.8.8.8 A 8.8.4.4	8.8.4.4
eter102.dvrlists.com	A 79.134.225.71	79.134.225.71
8.8.8.8.in-addr.arpa	PTR dns.google
www.xenarmor.com	CNAME xenarmor.com A 69.64.94.128	69.64.94.128

IP Address	Status	Action
164.124.101.2	Active	Moloch
69.64.94.128	Active	Moloch
79.134.225.71	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49172 -> 79.134.225.71:3050	906200098	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 79.134.225.71:3050 -> 192.168.56.102:49172	2030724	ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)	Domain Observed Used for C2 Detected
TCP 192.168.56.102:49171 -> 79.134.225.71:3050	906200098	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 79.134.225.71:3050 -> 192.168.56.102:49171	2030724	ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)	Domain Observed Used for C2 Detected
TCP 192.168.56.102:49177 -> 69.64.94.128:80	2030616	ET POLICY XenArmor Password Recovery License Check	Potential Corporate Privacy Violation
TCP 192.168.56.102:49203 -> 79.134.225.71:3050	906200098	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 79.134.225.71:3050 -> 192.168.56.102:49203	2030724	ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49172 79.134.225.71:3050	CN=BitRAT	CN=BitRAT	12:02:21:38:04:fa:d8:a8:b6:f3:f7:97:a1:30:d1:0b:42:3d:38:7b
TLS 1.2 192.168.56.102:49171 79.134.225.71:3050	CN=BitRAT	CN=BitRAT	12:02:21:38:04:fa:d8:a8:b6:f3:f7:97:a1:30:d1:0b:42:3d:38:7b
TLS 1.2 192.168.56.102:49203 79.134.225.71:3050	CN=BitRAT	CN=BitRAT	12:02:21:38:04:fa:d8:a8:b6:f3:f7:97:a1:30:d1:0b:42:3d:38:7b

Queries for the computername (23 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2021, 10:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2021, 10:56 a.m.			0	0
IsDebuggerPresent Aug. 12, 2021, 10:56 a.m.			0	0
IsDebuggerPresent Aug. 12, 2021, 10:56 a.m.			0	0
IsDebuggerPresent Aug. 12, 2021, 10:56 a.m.			0	0
IsDebuggerPresent Aug. 12, 2021, 10:57 a.m.			0	0

Command line console output was observed (41 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: TEST22-PC 8.8.8.8 8.8.8.8 {} console_handle: 0x00000033	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: TEST22-PC 8.8.8.8 8.8.8.8 {} console_handle: 0x00000037	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: TEST22-PC 8.8.8.8 8.8.8.8 {} console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: TEST22-PC 8.8.8.8 8.8.8.8 {} console_handle: 0x0000003f	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: TEST22-PC 8.8.8.8 8.8.8.8 {} console_handle: 0x00000033	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: TEST22-PC 8.8.8.8 8.8.8.8 {} console_handle: 0x00000037	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: TEST22-PC 8.8.8.8 8.8.8.8 {} console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 12, 2021, 10:56 a.m.	buffer: TEST22-PC 8.8.8.8 8.8.8.8 {} console_handle: 0x0000003f	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: + Set-MpPreference <<<< -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\ou console_handle: 0x00000053	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: tlook.exe' console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 12, 2021, 10:57 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Password Recovery Status console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering Browser Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering Email Client Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering Messenger Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering FTP Client Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering Download Manager Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering Database Manager Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering All Other Apps Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering Credential Manager Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: [*] Recovering Wi-Fi Passwords... console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Completed console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: Password Recovery Result console_handle: 0x00000007	1	1
WriteConsoleA Aug. 12, 2021, 10:57 a.m.	buffer: No stored passwords found. Please change the input parameters and try again Type .exe -h for more options & examples console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 132 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540358 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053fc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053fc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053fc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053fc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053fc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053fc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053fe58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f8d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053f8d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fedd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fedd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fedd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fe418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fe418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fe418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fded8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fded8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2021, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005fded8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2021, 10:56 a.m.		1	1	0

One or more processes crashed (10 events)

Time & API	Arguments	Status
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 2097152 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 10616832 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 2097152 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 10616832 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 2097152 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 10616832 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 2097152 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 10616832 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 2097152 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Aug. 12, 2021, 10:57 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x76a6b37e 0x52d58cd 0x52d5842 0x52d2e4b 0x52d26f3 0x52d02fd DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x73221838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x73221737 mscorlib+0x2d36ad @ 0x724b36ad mscorlib+0x308f2d @ 0x724e8f2d mscorlib+0x3135ed @ 0x724f35ed 0x8e7474 0x8e7317 0x8e68c9 0x8e1518 0x8e1414 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x76a6b479 registers.esp: 5957876 registers.edi: 1969676232 registers.eax: 10616832 registers.ebp: 5958080 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://www.xenarmor.com/xen-check-portable-license.php?key=øÞÞ~nr%5DE%1C²%12a¸Bô%0D%17X0%1E&email=SDÌãéQa4i%19èQûþóuÀc;êf:Í5$×rAV&productid=5701

Allocates read-write-execute memory (usually to unpack itself) (50 out of 494 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0073b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70692000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0070c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 57344 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 2232 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2021, 10:56 a.m.	process_identifier: 2232 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (34 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Floc\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\

Creates executable files on the filesystem (22 events)

file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\Unknown.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\E7nvVUkg.exe
file	C:\Users\test22\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll

Creates hidden or system file (6 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Aug. 12, 2021, 10:57 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\External filepath: C:\Users\test22\AppData\Local\Temp\External	1	1
SetFileAttributesW Aug. 12, 2021, 10:57 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\External\ComponentsExt filepath: C:\Users\test22\AppData\Local\Temp\External\ComponentsExt	1	1
SetFileAttributesW Aug. 12, 2021, 10:57 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\License.XenArmor filepath: C:\Users\test22\AppData\Local\Temp\License.XenArmor	1	1
SetFileAttributesW Aug. 12, 2021, 10:57 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\Unknown.dll filepath: C:\Users\test22\AppData\Local\Temp\Unknown.dll	1	1
SetFileAttributesW Aug. 12, 2021, 10:57 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\unk.xml filepath: C:\Users\test22\AppData\Local\Temp\unk.xml	1	1
SetFileAttributesW Aug. 12, 2021, 10:57 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\9c49dd83\plg\BGBJe9Xt.json filepath: C:\Users\test22\AppData\Local\9c49dd83\plg\BGBJe9Xt.json	1	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\outlook.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
cmdline	powershell Test-Connection 8.8.8.8
cmdline	powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\outlook.exe'

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs
file	C:\Users\test22\AppData\Local\Temp\E7nvVUkg.exe

Drops an executable to the user AppData folder (20 events)

file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\Unknown.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_PingStatus where ((Address='8.8.8.8') And TimeToLive=80 And BufferSize=32)

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 12, 2021, 10:56 a.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection 8.8.8.8 filepath: powershell	1	1
ShellExecuteExW Aug. 12, 2021, 10:56 a.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection 8.8.8.8 filepath: powershell	1	1
ShellExecuteExW Aug. 12, 2021, 10:57 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\outlook.exe' filepath: powershell	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x001baa00', u'virtual_address': u'0x00002000', u'entropy': 7.990922535245317, u'name': u'.text', u'virtual_size': u'0x001ba984'}

entropy

7.99092253525

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00010200', u'virtual_address': u'0x001be000', u'entropy': 7.133676561468173, u'name': u'.rsrc', u'virtual_size': u'0x00010128'}

entropy

7.13367656147

description

A section with a high entropy has been found

entropy

0.999727594661

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 12, 2021, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 12, 2021, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 12, 2021, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 12, 2021, 10:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 12, 2021, 10:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 12, 2021, 10:57 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 12, 2021, 10:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (25 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Aug. 12, 2021, 10:57 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Navigator_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Navigator_is1		2	0

Terminates another process (10 events)

Time & API	Arguments	Status
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0xffffffff process_identifier: 1424 process_handle: 0x00000434
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0xffffffff process_identifier: 1424 process_handle: 0x00000434	1
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0xffffffff process_identifier: 2968 process_handle: 0x0000044c
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0xffffffff process_identifier: 2968 process_handle: 0x0000044c	1
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0xffffffff process_identifier: 2488 process_handle: 0x00000458
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0xffffffff process_identifier: 2488 process_handle: 0x00000458	1
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0xffffffff process_identifier: 2096 process_handle: 0x00000464
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0xffffffff process_identifier: 2096 process_handle: 0x00000464	1
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0x00000000 process_identifier: 2288 process_handle: 0x000003a8
NtTerminateProcess Aug. 12, 2021, 10:57 a.m.	status_code: 0x00000000 process_identifier: 2288 process_handle: 0x000003a8	1

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 43bd0a1e43be3e858b30b484e9c89770a33b8c8a
buffer	Buffer with sha1: 368878a5ba7c1d7d054579b5cee41cdc723b67c6
buffer	Buffer with sha1: 3b112949486c78feaabadebf814c4ba692663a98

Allocates execute permission to another process indicative of possible code injection (8 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1424 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000033c		3221225496
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2968 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000448		3221225496
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2488 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000440		3221225496
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2096 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000444		3221225496
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1648 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000045c	1	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2288 region_size: 5095424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8		3221225496
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1092 region_size: 5095424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000384	1	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2504 region_size: 3137536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000084	1	0

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data\Default\
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data\Default\

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 12, 2021, 10:57 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

edi.exe tried to sleep 5456617 seconds, actually delayed analysis time by 5456617 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\outlook

reg_value

"C:\Users\test22\AppData\Roaming\outlook.exe"

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\E7nvVUkg.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\9c49dd83\plg\BGBJe9Xt.json

Harvests credentials from local FTP client softwares (12 events)

file	C:\Users\test22\AppData\Roaming\FTP Explorer\profiles.xml
file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPRush\RushSite.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
registry	HKEY_LOCAL_MACHINE\Software\SoftX.org\FTPClient\Sites
registry	HKEY_CURRENT_USER\Software\SoftX.org\FTPClient\Sites
registry	HKEY_CURRENT_USER\Software\Sota\FFFTP\Options
registry	HKEY_CURRENT_USER\Software\Cryer\WebSitePublisher
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\CoreFTP\Sites

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 0 callback_function: 0x0050f84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	2490661	0

Harvests information related to installed instant messenger clients (8 events)

file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\Trillian\users\global\accounts.ini
file	C:\Users\test22\AppData\Roaming\Xfire\XfireUser.ini
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\IMVU\username
registry	HKEY_CURRENT_USER\Software\IMVU\password
registry	HKEY_CURRENT_USER\Software\Paltalk

Manipulates memory of a non-child process indicative of process injection (10 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1768 manipulating memory of non-child process 1424
Process injection	Process 1768 manipulating memory of non-child process 2968
Process injection	Process 1768 manipulating memory of non-child process 2488
Process injection	Process 1768 manipulating memory of non-child process 2096
Process injection	Process 1648 manipulating memory of non-child process 2288
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1424 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000033c	3221225496	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2968 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000448	3221225496	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2488 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000440	3221225496	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2096 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000444	3221225496	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2288 region_size: 5095424 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003a8	3221225496	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: <0>(0>h0>J0>X0>v0>KERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect >2759P9T9X9\9p9´9À9 >2759P9T9X9\9p9´9À9 base_address: 0x007e3000 process_identifier: 1648 process_handle: 0x0000045c	1	1
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1648 process_handle: 0x0000045c	1	1
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: eÐføg hHipjkÀlèmn8o`pq°rØst(uPvxw xÈyð è´ °A8K 8è8W ` ä0I P-8O °\|8K ØÀÇ8I ø8q (08g Phé8Y x B0_ Ð¡À[ Èý8Q ðÈN8I Ð @Ð« Ð h Ë"8· Ø)Ðû ¸¨~<Ð3 àx²>HG Àù?gT´M@´M´Mb´Mp´M´MKERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect base_address: 0x008db000 process_identifier: 1092 process_handle: 0x00000384	1	1
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1092 process_handle: 0x00000384	1	1
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: PÒ/¤Ñ/]Ò/¬Ñ/iÒ/´Ñ/sÒ/¼Ñ/Ò/ÄÑ/Ò/ÌÑ/Ò/àÑ/¢Ò/èÑ/¬Ò/ðÑ/·Ò/øÑ/ÄÒ/Ò/ÑÒ/Ò/ÜÒ/Ò/èÒ/Ò/ôÒ/ Ò/ÿÒ/(Ò/Ó/0Ò/Ó/8Ò/#Ó/@Ò/-Ó/HÒ/:Ó/DÓ/XÓ/`Ó/jÓ/Ó/zÓ/Ó/¦Ó/¶Ó/ÂÓ/ÎÓ/ÈâÓ/ôÓ/Ô/Ô/Ô/&Ô/HÔ/VÔ/fÔ/rÔ/ADVAPI32.dllCRYPT32.dllGDI32.dllgdiplus.dllIMM32.dllKERNEL32.DLLMSIMG32.dllole32.dllOLEACC.dllOLEAUT32.dllRASAPI32.dllRPCRT4.dllSHELL32.dllSHLWAPI.dllUSER32.dllUSERENV.dllUxTheme.dllVERSION.dllWINMM.dllWINSPOOL.DRVLsaCloseCryptUnprotectDataLPtoDPGdipFreeImmGetContextExitProcessGetProcAddressLoadLibraryAVirtualProtectAlphaBlendDoDragDropLresultFromObjectRasEnumEntriesAUuidFromStringADragFinishPathIsUNCAGetDCExpandEnvironmentStringsForUserAIsAppThemedVerQueryValueAPlaySoundAOpenPrinterA base_address: 0x006fd000 process_identifier: 2504 process_handle: 0x00000084	1	1
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2504 process_handle: 0x00000084	1	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 0 callback_function: 0x004ca8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	721569	0

Harvests credentials from local email clients (7 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Program Files\Foxmail 7.0\Data\AccCfg\Accounts.tdat
registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\HTTP Password
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1768 called NtSetContextThread to modify thread in remote process 1648
Process injection	Process 1648 called NtSetContextThread to modify thread in remote process 1092
Process injection	Process 1092 called NtSetContextThread to modify thread in remote process 2504
NtSetContextThread Aug. 12, 2021, 10:57 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 8267568 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000464 process_identifier: 1648	1	0	0
NtSetContextThread Aug. 12, 2021, 10:57 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 9281504 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000039c process_identifier: 1092	1	0	0
NtSetContextThread Aug. 12, 2021, 10:57 a.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 7324112 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000080 process_identifier: 2504	1	0	0

Expresses interest in specific running processes (1 event)

process: potential process injection target

winlogon.exe

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\outlook.exe'
parent_process	wscript.exe				martian_process	powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\outlook.exe'

Putty Files, Registry Keys and/or Mutexes Detected

Appends a known multi-family ransomware file extension to files that have been encrypted (1 event)

file	C:\Users\test22\AppData\Local\9c49dd83\plg\c039198306863035fea360c1237d8088.enc

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1768 resumed a thread in remote process 1648
Process injection	Process 1648 resumed a thread in remote process 1092
Process injection	Process 1092 resumed a thread in remote process 2504
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 1648	1	0	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 1092	1	0	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000080 suspend_count: 1 process_identifier: 2504	1	0	0

Generates some ICMP traffic

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.597486
FireEye	Generic.mg.586f79d31e3b60f3
Cylance	Unsafe
Cybereason	malicious.d94d3a
Cyren	W32/MSIL_Kryptik.FDJ.gen!Eldorado
ESET-NOD32	a variant of MSIL/GenKryptik.FITN
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Sophos	ML/PE-A
Ikarus	Trojan.MSIL.Crypt
eGambit	Unsafe.AI_Score_55%
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Bulz.597486
Cynet	Malicious (score: 100)
Malwarebytes	Backdoor.Remcos
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilF.34058.Yn0@aS9E8kp

Executed a process and injected code into it, probably while unpacking (50 out of 92 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1768	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1768	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1768	1	0
CreateProcessInternalW Aug. 12, 2021, 10:56 a.m.	thread_identifier: 180 thread_handle: 0x000003c8 process_identifier: 2232 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
CreateProcessInternalW Aug. 12, 2021, 10:56 a.m.	thread_identifier: 1088 thread_handle: 0x0000033c process_identifier: 2792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c4	1	1
CreateProcessInternalW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 1172 thread_handle: 0x00000444 process_identifier: 2116 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000458	1	1
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 1768	1	0
NtGetContextThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000000f0	1	0
NtGetContextThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000000f0	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000000f0 suspend_count: 1 process_identifier: 1768	1	0
CreateProcessInternalW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 1964 thread_handle: 0x00000460 process_identifier: 1424 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\edi.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000033c	1	1
NtGetContextThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000460	1	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1424 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000033c		3221225496
CreateProcessInternalW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 2972 thread_handle: 0x00000434 process_identifier: 2968 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\edi.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000448	1	1
NtGetContextThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000434	1	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2968 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000448		3221225496
CreateProcessInternalW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 2500 thread_handle: 0x0000044c process_identifier: 2488 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\edi.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000440	1	1
NtGetContextThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x0000044c	1	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2488 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000440		3221225496
CreateProcessInternalW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 2872 thread_handle: 0x00000458 process_identifier: 2096 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\edi.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000444	1	1
NtGetContextThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000458	1	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 2096 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000444		3221225496
CreateProcessInternalW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 1328 thread_handle: 0x00000464 process_identifier: 1648 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\edi.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000045c	1	1
NtGetContextThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000464	1	0
NtAllocateVirtualMemory Aug. 12, 2021, 10:57 a.m.	process_identifier: 1648 region_size: 4079616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000045c	1	0
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: base_address: 0x00400000 process_identifier: 1648 process_handle: 0x0000045c	1	1
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: base_address: 0x00672000 process_identifier: 1648 process_handle: 0x0000045c	1	1
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: <0>(0>h0>J0>X0>v0>KERNEL32.DLLExitProcessGetProcAddressLoadLibraryAVirtualProtect >2759P9T9X9\9p9´9À9 >2759P9T9X9\9p9´9À9 base_address: 0x007e3000 process_identifier: 1648 process_handle: 0x0000045c	1	1
WriteProcessMemory Aug. 12, 2021, 10:57 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1648 process_handle: 0x0000045c	1	1
NtSetContextThread Aug. 12, 2021, 10:57 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 8267568 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000464 process_identifier: 1648	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x000005b8 suspend_count: 1 process_identifier: 2232	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2792	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2792	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2792	1	0
NtResumeThread Aug. 12, 2021, 10:56 a.m.	thread_handle: 0x000005b8 suspend_count: 1 process_identifier: 2792	1	0
CreateProcessInternalW Aug. 12, 2021, 10:57 a.m.	thread_identifier: 656 thread_handle: 0x00000330 process_identifier: 1276 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\outlook.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1276	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 1276	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 1276	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 1276	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000002d4 suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 1648	1	0
NtResumeThread Aug. 12, 2021, 10:57 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 1648	1	0

The processes powershell.exe, wscript.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\SysWOW64\wscript.exe

edi.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All