Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 22, 2021, 9:50 a.m.	Sept. 22, 2021, 10:19 a.m.

Size	652.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b5b75b3da47bb461fceb52a2c69d1240`
SHA256	`5b445bc2e8cd529d16ff02a4c2bca711a6ad0a9e306f6a7353ade3b80d70c38f`
CRC32	`C4CD0F2F`
ssdeep	`12288:cS/HwtbFL1/gNhrnYulyu7pkv/tpr5Oog/VzoxyNqkbT:cS/m/gN9nhlyuutWxNqkbT`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description)

ConsoleApp13.exe "C:\Users\test22\AppData\Local\Temp\ConsoleApp13.exe"
2416
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
  1304
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
  2856
- ConsoleApp13.exe C:\Users\test22\AppData\Local\Temp\ConsoleApp13.exe
  888

Name	Response	Post-Analysis Lookup
freightmgmt.duckdns.org	A 194.5.98.207	194.5.98.207

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.5.98.207	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2021, 9:50 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 22, 2021, 9:50 a.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:50 a.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:50 a.m.			0	0
IsDebuggerPresent Sept. 22, 2021, 9:50 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 83 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 22, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00370d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efa68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efde8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006efee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ef668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f02e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f02e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 22, 2021, 9:50 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 22, 2021, 9:50 a.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Sept. 22, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x897f05 0x897238 0x894968 0x894384 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd 0x890418 0x8901d8 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x89007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2352692 registers.edi: 1990713288 registers.eax: 16777216 registers.ebp: 2352896 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 22, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x897f05 0x897238 0x894968 0x894384 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd 0x890418 0x8901d8 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x89007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2352692 registers.edi: 1990713288 registers.eax: 4194304 registers.ebp: 2352896 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Sept. 22, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e 0x897f05 0x897238 0x894968 0x894384 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x3133fd @ 0x6ff533fd 0x890418 0x8901d8 system+0x1f9799 @ 0x6e899799 system+0x1f92c8 @ 0x6e8992c8 system+0x1eca74 @ 0x6e88ca74 system+0x1ec868 @ 0x6e88c868 system+0x1f82b8 @ 0x6e8982b8 system+0x1ee54d @ 0x6e88e54d system+0x1f70ea @ 0x6e8970ea system+0x1e56c0 @ 0x6e8856c0 system+0x1f8215 @ 0x6e898215 system+0x1f6f75 @ 0x6e896f75 system+0x1ee251 @ 0x6e88e251 system+0x1ee229 @ 0x6e88e229 system+0x1ee170 @ 0x6e88e170 0x52a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a system+0x1ebc85 @ 0x6e88bc85 system+0x1f683b @ 0x6e89683b system+0x1a5e44 @ 0x6e845e44 system+0x1fd8a0 @ 0x6e89d8a0 system+0x1fd792 @ 0x6e89d792 system+0x1a14bd @ 0x6e8414bd 0x89007a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7575b479 registers.esp: 2352692 registers.edi: 1990713288 registers.eax: 17760256 registers.ebp: 2352896 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 22, 2021, 9:51 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x897f05
0x897238
0x894968
0x894384
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3133fd @ 0x6ff533fd
0x890418
0x8901d8
system+0x1f9799 @ 0x6e899799
system+0x1f92c8 @ 0x6e8992c8
system+0x1eca74 @ 0x6e88ca74
system+0x1ec868 @ 0x6e88c868
system+0x1f82b8 @ 0x6e8982b8
system+0x1ee54d @ 0x6e88e54d
system+0x1f70ea @ 0x6e8970ea
system+0x1e56c0 @ 0x6e8856c0
system+0x1f8215 @ 0x6e898215
system+0x1f6f75 @ 0x6e896f75
system+0x1ee251 @ 0x6e88e251
system+0x1ee229 @ 0x6e88e229
system+0x1ee170 @ 0x6e88e170
0x52a08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a
system+0x1ebc85 @ 0x6e88bc85
system+0x1f683b @ 0x6e89683b
system+0x1a5e44 @ 0x6e845e44
system+0x1fd8a0 @ 0x6e89d8a0
system+0x1fd792 @ 0x6e89d792
system+0x1a14bd @ 0x6e8414bd
0x89007a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 2352692
registers.edi: 1990713288
registers.eax: 16777216
registers.ebp: 2352896
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Sept. 22, 2021, 9:51 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x897f05
0x897238
0x894968
0x894384
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3133fd @ 0x6ff533fd
0x890418
0x8901d8
system+0x1f9799 @ 0x6e899799
system+0x1f92c8 @ 0x6e8992c8
system+0x1eca74 @ 0x6e88ca74
system+0x1ec868 @ 0x6e88c868
system+0x1f82b8 @ 0x6e8982b8
system+0x1ee54d @ 0x6e88e54d
system+0x1f70ea @ 0x6e8970ea
system+0x1e56c0 @ 0x6e8856c0
system+0x1f8215 @ 0x6e898215
system+0x1f6f75 @ 0x6e896f75
system+0x1ee251 @ 0x6e88e251
system+0x1ee229 @ 0x6e88e229
system+0x1ee170 @ 0x6e88e170
0x52a08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a
system+0x1ebc85 @ 0x6e88bc85
system+0x1f683b @ 0x6e89683b
system+0x1a5e44 @ 0x6e845e44
system+0x1fd8a0 @ 0x6e89d8a0
system+0x1fd792 @ 0x6e89d792
system+0x1a14bd @ 0x6e8414bd
0x89007a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 2352692
registers.edi: 1990713288
registers.eax: 4194304
registers.ebp: 2352896
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Sept. 22, 2021, 9:51 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7575b37e
0x897f05
0x897238
0x894968
0x894384
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x3133fd @ 0x6ff533fd
0x890418
0x8901d8
system+0x1f9799 @ 0x6e899799
system+0x1f92c8 @ 0x6e8992c8
system+0x1eca74 @ 0x6e88ca74
system+0x1ec868 @ 0x6e88c868
system+0x1f82b8 @ 0x6e8982b8
system+0x1ee54d @ 0x6e88e54d
system+0x1f70ea @ 0x6e8970ea
system+0x1e56c0 @ 0x6e8856c0
system+0x1f8215 @ 0x6e898215
system+0x1f6f75 @ 0x6e896f75
system+0x1ee251 @ 0x6e88e251
system+0x1ee229 @ 0x6e88e229
system+0x1ee170 @ 0x6e88e170
0x52a08e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755b6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755b6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x773b011a
system+0x1ebc85 @ 0x6e88bc85
system+0x1f683b @ 0x6e89683b
system+0x1a5e44 @ 0x6e845e44
system+0x1fd8a0 @ 0x6e89d8a0
system+0x1fd792 @ 0x6e89d792
system+0x1a14bd @ 0x6e8414bd
0x89007a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7575b479
registers.esp: 2352692
registers.edi: 1990713288
registers.eax: 17760256
registers.ebp: 2352896
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

freightmgmt.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 281 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00891000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00892000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00893000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00894000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:51 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00895000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:51 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00896000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:51 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00897000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:51 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:51 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00898000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dd82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02707000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 22, 2021, 9:50 a.m.	process_identifier: 1304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

ConsoleApp13.exe tried to sleep 235 seconds, actually delayed analysis time by 235 seconds

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
cmdline	powershell Start-Sleep -s 15
cmdline	powershell Start-Sleep -Seconds 3

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 22, 2021, 9:50 a.m.	show_type: 0 filepath_r: powershell parameters: Start-Sleep -Seconds 3 filepath: powershell	1	1	0
ShellExecuteExW Sept. 22, 2021, 9:50 a.m.	show_type: 0 filepath_r: powershell parameters: Start-Sleep -s 15 filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 22, 2021, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 22, 2021, 9:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 22, 2021, 9:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (19 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 22, 2021, 9:51 a.m.	process_identifier: 888 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c4	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\notapad

reg_value

"C:\Users\test22\AppData\Local\notapad.exe"

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜ¸KP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrc¸KL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: base_address: 0x0046e000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 888 process_handle: 0x000003c4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜ¸KP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrc¸KL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 888 process_handle: 0x000003c4	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 22, 2021, 9:51 a.m.	thread_identifier: 0 callback_function: 0x0040887b hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	3670337	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2416 called NtSetContextThread to modify thread in remote process 888
NtSetContextThread Sept. 22, 2021, 9:51 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003c0 process_identifier: 888	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2416 resumed a thread in remote process 888
NtResumeThread Sept. 22, 2021, 9:51 a.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 888	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.b5b75b3da47bb461
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_80% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34170.Om0@aO8Hdxc
Cyren	W32/MSIL_Kryptik.EUB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik_AGen.L
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
Avast	FileRepMalware
Emsisoft	Trojan.Agent (A)
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Win32/AgentTesla!ml
McAfee	Artemis!B5B75B3DA47B
Malwarebytes	Trojan.MalPack
SentinelOne	Static AI - Malicious PE
AVG	FileRepMalware
Cybereason	malicious.8e11ab

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2416	1	0
CreateProcessInternalW Sept. 22, 2021, 9:50 a.m.	thread_identifier: 1444 thread_handle: 0x00000380 process_identifier: 1304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000388	1	1
CreateProcessInternalW Sept. 22, 2021, 9:50 a.m.	thread_identifier: 668 thread_handle: 0x000003a0 process_identifier: 2856 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b8	1	1
CreateProcessInternalW Sept. 22, 2021, 9:51 a.m.	thread_identifier: 1768 thread_handle: 0x000003c0 process_identifier: 888 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ConsoleApp13.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003c4	1	1
NtGetContextThread Sept. 22, 2021, 9:51 a.m.	thread_handle: 0x000003c0	1	0
NtAllocateVirtualMemory Sept. 22, 2021, 9:51 a.m.	process_identifier: 888 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c4	1	0
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPEL¹8aà ÷0@èÜ¸KP8l8l8l@0t.textf `.rdataXo0p@@.data\= @À.tls à@À.gfids0ð@@.rsrc¸KL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: base_address: 0x00401000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: base_address: 0x00453000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: base_address: 0x0046e000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: ÛÓÀÓ?TØnØ?¼Ø?Ùr?u 5´4ë³ØÞ}Í}ôðð??(p'vØBØ^¥«õÝÝÍ½ijQiÞöC£¥'¡(dö¼Ù¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: base_address: 0x00470000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: base_address: 0x00475000 process_identifier: 888 process_handle: 0x000003c4	1	1
WriteProcessMemory Sept. 22, 2021, 9:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 888 process_handle: 0x000003c4	1	1
NtSetContextThread Sept. 22, 2021, 9:51 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003c0 process_identifier: 888	1	0
NtResumeThread Sept. 22, 2021, 9:51 a.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 888	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 1304	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 1304	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 1304	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 1304	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 2856	1	0
NtResumeThread Sept. 22, 2021, 9:50 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 2856	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (21 events)

dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49224
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49220
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49221
dead_host	192.168.56.101:49210
dead_host	194.5.98.207:691
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49214
dead_host	192.168.56.101:49227

ConsoleApp13.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All