Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 8, 2021, 9:41 a.m.	Sept. 8, 2021, 9:54 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f88fe2ffbc0ac8b13baa8cdcb55bab28`
SHA256	`f4b224dc05210c0020c5e2f736c3132de81057918783ed65e56add163f92d552`
CRC32	`82E32D5D`
ssdeep	`24576:b4LpXk+b6umJBDAJeqtgTnfUtzdTMCEmW6vaxG/4aTN:0LfqBDAfgAvTMVm5Cx04`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

IMG_80350001.exe "C:\Users\test22\AppData\Local\Temp\IMG_80350001.exe"
2088
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
  3016
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2672
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
  2412
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
  1436
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
  2552
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  888
- IMG_80350001.exe C:\Users\test22\AppData\Local\Temp\IMG_80350001.exe
  2724

Name	Response	Post-Analysis Lookup
facebook.com	A 157.240.215.35	157.240.215.35
youtube.com	A 142.250.204.46	172.217.175.14
outlook.com	A 40.97.161.50 A 40.97.160.2 A 40.97.153.146 A 40.97.128.194 A 40.97.116.82 A 40.97.164.146 A 40.97.148.226 A 40.97.156.114	40.97.153.146
bing.com	A 204.79.197.200 A 13.107.21.200	13.107.21.200
google.com	A 172.217.174.110	172.217.175.78

IP Address	Status	Action
142.250.204.46	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
172.217.174.110	Active	Moloch
204.79.197.200	Active	Moloch
40.97.153.146	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (49 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 8, 2021, 9:42 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 8, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Sept. 8, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Sept. 8, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Sept. 8, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Sept. 8, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Sept. 8, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Sept. 8, 2021, 9:41 a.m.			0	0
IsDebuggerPresent Sept. 8, 2021, 9:41 a.m.			0	0

Command line console output was observed (36 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC youtube.com 142.250.204.46 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC youtube.com 142.250.204.46 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC youtube.com 142.250.204.46 {} console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC youtube.com 142.250.204.46 {} console_handle: 0x0000003f	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC google.com 172.217.174.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC google.com 172.217.174.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC google.com 172.217.174.110 {} console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC google.com 172.217.174.110 {} console_handle: 0x0000003f	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC facebook.com 157.240.215.35 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC facebook.com 157.240.215.35 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC facebook.com 157.240.215.35 {} console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC facebook.com 157.240.215.35 {} console_handle: 0x0000003f	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC outlook.com 40.97.153.146 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC outlook.com 40.97.153.146 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC outlook.com 40.97.153.146 {} console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC outlook.com 40.97.153.146 {} console_handle: 0x0000003f	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC bing.com 204.79.197.200 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC bing.com 204.79.197.200 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC bing.com 204.79.197.200 {} console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC bing.com 204.79.197.200 {} console_handle: 0x0000003f	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: WARNING: 2 columns do not fit into the display and were removed. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: Source Destination IPV4Address IPV6Address console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC google.com 172.217.174.110 {} console_handle: 0x00000033	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC google.com 172.217.174.110 {} console_handle: 0x00000037	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC google.com 172.217.174.110 {} console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 8, 2021, 9:41 a.m.	buffer: TEST22-PC google.com 172.217.174.110 {} console_handle: 0x0000003f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 261 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00250de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002517e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002517e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060ab80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060ab80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060ab80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060ab80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060ab80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060ab80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00609f00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060a400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05091d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05091d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05091d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051e648 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051f048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051f048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 8, 2021, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051f048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 8, 2021, 9:41 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Sept. 8, 2021, 9:42 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x95f155d 0x95f0203 0x6be207 0x92100cf system+0x1d3f63 @ 0x6df33f63 0x6b8d71 0x6b8b90 system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0x6b05f8 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x6b0084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 4582500 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 4582704 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 8, 2021, 9:42 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x95f155d 0x95f0203 0x6be207 0x92100cf system+0x1d3f63 @ 0x6df33f63 0x6b8d71 0x6b8b90 system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0x6b05f8 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x6b0084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 4582500 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 4582704 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 8, 2021, 9:42 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x95f155d 0x95f0203 0x6be207 0x92100cf system+0x1d3f63 @ 0x6df33f63 0x6b8d71 0x6b8b90 system+0x19c522 @ 0x6e83c522 system+0x19e920 @ 0x6e83e920 system+0x19e803 @ 0x6e83e803 0x6b05f8 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x6b0084 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 4582500 registers.edi: 1990713288 registers.eax: 11862016 registers.ebp: 4582704 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 8, 2021, 9:42 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1569688 registers.edi: 8406688 registers.eax: 1569688 registers.ebp: 1569768 registers.edx: 0 registers.ebx: 8406688 registers.esi: 8406688 registers.ecx: 2	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 945 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72142000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0921f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x09210000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:42 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:42 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:42 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x095f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:42 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:42 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x095f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02901000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02902000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 9:41 a.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (10 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
cmdline	powershell Test-Connection -ComputerName bing.com
cmdline	powershell Test-Connection -ComputerName facebook.com
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
cmdline	powershell Test-Connection -ComputerName youtube.com
cmdline	powershell Test-Connection -ComputerName google.com
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
cmdline	powershell Test-Connection -ComputerName outlook.com

Executes one or more WMI queries (6 events)

wmi	Select * from Win32_PingStatus where ((Address='facebook.com') And TimeToLive=80 And BufferSize=32)
wmi	Select * from Win32_ComputerSystem
wmi	Select * from Win32_PingStatus where ((Address='google.com') And TimeToLive=80 And BufferSize=32)
wmi	Select * from Win32_PingStatus where ((Address='bing.com') And TimeToLive=80 And BufferSize=32)
wmi	Select * from Win32_PingStatus where ((Address='youtube.com') And TimeToLive=80 And BufferSize=32)
wmi	Select * from Win32_PingStatus where ((Address='outlook.com') And TimeToLive=80 And BufferSize=32)

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 8, 2021, 9:41 a.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName youtube.com filepath: powershell	1	1
ShellExecuteExW Sept. 8, 2021, 9:41 a.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1
ShellExecuteExW Sept. 8, 2021, 9:41 a.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName facebook.com filepath: powershell	1	1
ShellExecuteExW Sept. 8, 2021, 9:41 a.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName outlook.com filepath: powershell	1	1
ShellExecuteExW Sept. 8, 2021, 9:41 a.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName bing.com filepath: powershell	1	1
ShellExecuteExW Sept. 8, 2021, 9:41 a.m.	show_type: 0 filepath_r: powershell parameters: Test-Connection -ComputerName google.com filepath: powershell	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 8, 2021, 9:42 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00350000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0011cc00', u'virtual_address': u'0x00002000', u'entropy': 7.429859346413616, u'name': u'.text', u'virtual_size': u'0x0011caa4'}

entropy

7.42985934641

description

A section with a high entropy has been found

entropy

0.870795107034

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 8, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 8, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 8, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 8, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 8, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 8, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 8, 2021, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (19 events)

url	http://crl4.digicert.com/sha2-assured-ts.crl0
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
url	http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
url	https://www.nuget.org/packages/Newtonsoft.Json.Bson
url	http://ocsp.digicert.com0O
url	http://ocsp.digicert.com0K
url	http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
url	http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
url	http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
url	https://www.newtonsoft.com/jsonschema
url	http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
url	http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
url	https://www.newtonsoft.com/json
url	http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
url	http://ocsp.digicert.com0N
url	http://ocsp.digicert.com0C
url	http://crl3.digicert.com/sha2-assured-ts.crl02
url	https://www.digicert.com/CPS0
url	http://www.digicert.com/CPS0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vba
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	Select * from Win32_ComputerSystem

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 588329bda4a202cbb9b8a09a17e1263f0463168f
buffer	Buffer with sha1: d69dfe9d93380a86e86c2687418f56d2c03b1d5f

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 8, 2021, 9:42 a.m.	process_identifier: 2724 region_size: 499712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 8, 2021, 9:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2724 process_handle: 0x00000380	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 called NtSetContextThread to modify thread in remote process 2724
NtSetContextThread Sept. 8, 2021, 9:42 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4204760 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003b4 process_identifier: 2724	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 resumed a thread in remote process 2724
NtResumeThread Sept. 8, 2021, 9:42 a.m.	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 2724	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (47 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW Sept. 8, 2021, 9:41 a.m.	thread_identifier: 2056 thread_handle: 0x0000037c process_identifier: 3016 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000384	1	1
CreateProcessInternalW Sept. 8, 2021, 9:41 a.m.	thread_identifier: 656 thread_handle: 0x00000394 process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ac	1	1
CreateProcessInternalW Sept. 8, 2021, 9:41 a.m.	thread_identifier: 812 thread_handle: 0x00000260 process_identifier: 2412 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a8	1	1
CreateProcessInternalW Sept. 8, 2021, 9:41 a.m.	thread_identifier: 2296 thread_handle: 0x0000039c process_identifier: 1436 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b8	1	1
CreateProcessInternalW Sept. 8, 2021, 9:41 a.m.	thread_identifier: 900 thread_handle: 0x00000260 process_identifier: 2552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ac	1	1
CreateProcessInternalW Sept. 8, 2021, 9:41 a.m.	thread_identifier: 2560 thread_handle: 0x000003a8 process_identifier: 888 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b8	1	1
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2088	1	0
NtGetContextThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW Sept. 8, 2021, 9:42 a.m.	thread_identifier: 1332 thread_handle: 0x000003b4 process_identifier: 2724 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\IMG_80350001.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000380	1	1
NtGetContextThread Sept. 8, 2021, 9:42 a.m.	thread_handle: 0x000003b4	1	0
NtAllocateVirtualMemory Sept. 8, 2021, 9:42 a.m.	process_identifier: 2724 region_size: 499712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0
WriteProcessMemory Sept. 8, 2021, 9:42 a.m.	buffer: base_address: 0x00400000 process_identifier: 2724 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 8, 2021, 9:42 a.m.	buffer: base_address: 0x00401000 process_identifier: 2724 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 8, 2021, 9:42 a.m.	buffer: base_address: 0x0041f000 process_identifier: 2724 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 8, 2021, 9:42 a.m.	buffer: base_address: 0x00420000 process_identifier: 2724 process_handle: 0x00000380	1	1
WriteProcessMemory Sept. 8, 2021, 9:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2724 process_handle: 0x00000380	1	1
NtSetContextThread Sept. 8, 2021, 9:42 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4204760 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003b4 process_identifier: 2724	1	0
NtResumeThread Sept. 8, 2021, 9:42 a.m.	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 2724	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000005c4 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000005cc suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000005cc suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1436	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 1436	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 1436	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000005cc suspend_count: 1 process_identifier: 1436	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000005e4 suspend_count: 1 process_identifier: 2552	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 888	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 888	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 888	1	0
NtResumeThread Sept. 8, 2021, 9:41 a.m.	thread_handle: 0x000005c8 suspend_count: 1 process_identifier: 888	1	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.MSIL.Seraph.a!c
Elastic	malicious (high confidence)
Cylance	Unsafe
K7AntiVirus	Trojan ( 00581eae1 )
BitDefender	Gen:Variant.Bulz.688153
K7GW	Trojan ( 00581eae1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/MSIL_Agent.BCR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ACRQ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
MicroWorld-eScan	Gen:Variant.Bulz.688153
Avast	Win32:CrypterX-gen [Trj]
Ad-Aware	Gen:Variant.Bulz.688153
Emsisoft	Gen:Variant.Bulz.688153 (B)
F-Secure	Trojan.TR/Kryptik.hdiwu
DrWeb	Trojan.Siggen15.8810
FireEye	Gen:Variant.Bulz.688153
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Arcabit	Trojan.Bulz.DA8019
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Gen:Variant.Bulz.688153
McAfee	PWS-FCZF!F88FE2FFBC0A
MAX	malware (ai score=100)
Malwarebytes	Trojan.Crypt.MSIL
Ikarus	Win32.SuspectCrc
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/Kryptik.ACRQ!tr
BitDefenderTheta	Gen:NN.ZemsilF.34126.rn0@aqy!pxn
AVG	Win32:CrypterX-gen [Trj]
MaxSecure	Trojan.Malware.300983.susgen

IMG_80350001.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All