Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 5, 2021, 9:09 a.m.	Nov. 5, 2021, 9:22 a.m.

Size	528.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`519c77369218476103250e9d89e0db48`
SHA256	`41c0fb76fb2d31b65384d53e5c586ddcd672dda488afb62a485589c01aa88432`
CRC32	`20225A5D`
ssdeep	`12288:6nCjZkRX4RxwY46eGl5h1UGTfLDKvSGItTGbWrp:6nCjZkRXWwYR7HUGTfCv+tSbWV`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description)

ConsoleApp16.exe "C:\Users\test22\AppData\Local\Temp\ConsoleApp16.exe"
2348
- ConsoleApp16.exe C:\Users\test22\AppData\Local\Temp\ConsoleApp16.exe
  2748

Name	Response	Post-Analysis Lookup
moneyrem.cc.dvrlists.com	A 23.105.131.222	23.105.131.222

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.105.131.222	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49164 23.105.131.222:2040	None	None	None

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 5, 2021, 9:09 a.m.			0	0
IsDebuggerPresent Nov. 5, 2021, 9:09 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 5, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b6188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 5, 2021, 9:09 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 5, 2021, 9:10 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e 0x45f448d 0x45f4402 0x45f194b 0x71cf8b 0x71f14f 0x7196fb 0x719b5b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d mscorlib+0x3133fd @ 0x722e33fd 0x71041f mscorlib+0x34b4fd @ 0x7231b4fd mscorlib+0x34b466 @ 0x7231b466 mscorlib+0x34b429 @ 0x7231b429 mscorlib+0x3022a6 @ 0x722d22a6 mscorlib+0x34b2d2 @ 0x7231b2d2 mscorlib+0x34b1f7 @ 0x7231b1f7 mscorlib+0x34b13b @ 0x7231b13b mscorlib+0x30d3a5 @ 0x722dd3a5 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x4a153 CorDllMainForThunk-0x423a8 clr+0x10f1cc @ 0x73a4f1cc LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x739b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x739b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x739b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7394c3bf DllGetClassObjectInternal+0x4a0eb CorDllMainForThunk-0x42410 clr+0x10f164 @ 0x73a4f164 DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x73a2f54d DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73a5a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7689b479 registers.esp: 80931356 registers.edi: 1987043272 registers.eax: 10485760 registers.ebp: 80931560 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0
__exception__ Nov. 5, 2021, 9:10 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e 0x45f448d 0x45f4402 0x45f194b 0x71cf8b 0x71f14f 0x7196fb 0x719b5b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737 mscorlib+0x2d3711 @ 0x722a3711 mscorlib+0x308f2d @ 0x722d8f2d mscorlib+0x3133fd @ 0x722e33fd 0x71041f mscorlib+0x34b4fd @ 0x7231b4fd mscorlib+0x34b466 @ 0x7231b466 mscorlib+0x34b429 @ 0x7231b429 mscorlib+0x3022a6 @ 0x722d22a6 mscorlib+0x34b2d2 @ 0x7231b2d2 mscorlib+0x34b1f7 @ 0x7231b1f7 mscorlib+0x34b13b @ 0x7231b13b mscorlib+0x30d3a5 @ 0x722dd3a5 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95 DllGetClassObjectInternal+0x4a153 CorDllMainForThunk-0x423a8 clr+0x10f1cc @ 0x73a4f1cc LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x739b7d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x739b7dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x739b7e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7394c3bf DllGetClassObjectInternal+0x4a0eb CorDllMainForThunk-0x42410 clr+0x10f164 @ 0x73a4f164 DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x73a2f54d DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73a5a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7689b479 registers.esp: 80931356 registers.edi: 1987043272 registers.eax: 10485760 registers.ebp: 80931560 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 5, 2021, 9:10 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x45f448d
0x45f4402
0x45f194b
0x71cf8b
0x71f14f
0x7196fb
0x719b5b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737
mscorlib+0x2d3711 @ 0x722a3711
mscorlib+0x308f2d @ 0x722d8f2d
mscorlib+0x3133fd @ 0x722e33fd
0x71041f
mscorlib+0x34b4fd @ 0x7231b4fd
mscorlib+0x34b466 @ 0x7231b466
mscorlib+0x34b429 @ 0x7231b429
mscorlib+0x3022a6 @ 0x722d22a6
mscorlib+0x34b2d2 @ 0x7231b2d2
mscorlib+0x34b1f7 @ 0x7231b1f7
mscorlib+0x34b13b @ 0x7231b13b
mscorlib+0x30d3a5 @ 0x722dd3a5
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95
DllGetClassObjectInternal+0x4a153 CorDllMainForThunk-0x423a8 clr+0x10f1cc @ 0x73a4f1cc
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x739b7d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x739b7dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x739b7e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7394c3bf
DllGetClassObjectInternal+0x4a0eb CorDllMainForThunk-0x42410 clr+0x10f164 @ 0x73a4f164
DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x73a2f54d
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73a5a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10
exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479
exception.instruction: mov dword ptr [ecx + edx*4], eax
exception.module: KERNEL32.dll
exception.exception_code: 0xc0000005
exception.offset: 242809
exception.address: 0x7689b479
registers.esp: 80931356
registers.edi: 1987043272
registers.eax: 10485760
registers.ebp: 80931560
registers.edx: 0
registers.ebx: 0
registers.esi: 1
registers.ecx: 0

__exception__

Nov. 5, 2021, 9:10 a.m.

stacktrace:

K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7689b37e
0x45f448d
0x45f4402
0x45f194b
0x71cf8b
0x71f14f
0x7196fb
0x719b5b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x739c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x739c1737
mscorlib+0x2d3711 @ 0x722a3711
mscorlib+0x308f2d @ 0x722d8f2d
mscorlib+0x3133fd @ 0x722e33fd
0x71041f
mscorlib+0x34b4fd @ 0x7231b4fd
mscorlib+0x34b466 @ 0x7231b466
mscorlib+0x34b429 @ 0x7231b429
mscorlib+0x3022a6 @ 0x722d22a6
mscorlib+0x34b2d2 @ 0x7231b2d2
mscorlib+0x34b1f7 @ 0x7231b1f7
mscorlib+0x34b13b @ 0x7231b13b
mscorlib+0x30d3a5 @ 0x722dd3a5
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7395264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73952e95
DllGetClassObjectInternal+0x4a153 CorDllMainForThunk-0x423a8 clr+0x10f1cc @ 0x73a4f1cc
LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x739b7d4d
LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x739b7dbb
LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x739b7e88
DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x7394c3bf
DllGetClassObjectInternal+0x4a0eb CorDllMainForThunk-0x42410 clr+0x10f164 @ 0x73a4f164
DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x73a2f54d
DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x73a5a0cf
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (39 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:09 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2348 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

ConsoleApp16.exe tried to sleep 299 seconds, actually delayed analysis time by 299 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007b600', u'virtual_address': u'0x00002000', u'entropy': 7.993506058476319, u'name': u'.text', u'virtual_size': u'0x0007b4e4'}

entropy

7.99350605848

description

A section with a high entropy has been found

entropy

0.934659090909

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 5, 2021, 9:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (19 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	browser info stealer	rule	infoStealer_browser_Zero

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 5, 2021, 9:10 a.m.	status_code: 0xffffffff process_identifier: 2712 process_handle: 0x00000298		0	0
NtTerminateProcess Nov. 5, 2021, 9:10 a.m.	status_code: 0xffffffff process_identifier: 2712 process_handle: 0x00000298	1	0	0

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 27ce11a739202f37f32fe1fb2dad0d2b9f812621

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2712 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2748 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 5, 2021, 9:09 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\taskmgrs

reg_value

"C:\Users\test22\AppData\Roaming\taskmgrs.exe"

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2348 manipulating memory of non-child process 2712
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2712 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜTKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcTKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¬tE°wEªtE..p¡F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶Ft¡F@¶F@¶F@¶F@¶F@¶F@¶F@¶Fx¡Fÿÿÿÿ°wE¢F¢F¢F¢F¢Fx¡F0zE°{EEØ¡Fp§FCPSTPDT ¢Fà¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZp§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: ÙôØ?iÝÝ?ÑÝ?Ùw?zÊ@t@G##ÈÝÞÍ(öÐõ??M- ,ÝWÝÖ±ßú»Þ»Þý »#»{\|QnÊã='¢t¨ÄªX¦-ûÅÁÍÞ¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2748 process_handle: 0x0000029c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜTKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcTKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x0000029c	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Nov. 5, 2021, 9:10 a.m.	thread_identifier: 0 callback_function: 0x00408981 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	459217	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2348 called NtSetContextThread to modify thread in remote process 2748
NtSetContextThread Nov. 5, 2021, 9:10 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4389945 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000298 process_identifier: 2748	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2348 resumed a thread in remote process 2748
NtResumeThread Nov. 5, 2021, 9:10 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2748	1	0	0

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.519c773692184761
McAfee	Artemis!519C77369218
Cylance	Unsafe
Cybereason	malicious.3e7db4
BitDefenderTheta	Gen:NN.ZemsilF.34266.Hm0@aW1At4k
Cyren	W32/MSIL_Kryptik.EVZ.gen!Eldorado
ESET-NOD32	a variant of MSIL/Kryptik.ADIO
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
Avast	FileRepMalware
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Krypt
eGambit	Unsafe.AI_Score_83%
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
Malwarebytes	Trojan.Crypt.MSIL
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_80% (W)

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 5, 2021, 9:09 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Nov. 5, 2021, 9:09 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Nov. 5, 2021, 9:09 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Nov. 5, 2021, 9:09 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Nov. 5, 2021, 9:09 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2348	1	0
NtResumeThread Nov. 5, 2021, 9:09 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2348	1	0
CreateProcessInternalW Nov. 5, 2021, 9:10 a.m.	thread_identifier: 2716 thread_handle: 0x000002a0 process_identifier: 2712 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ConsoleApp16.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtGetContextThread Nov. 5, 2021, 9:10 a.m.	thread_handle: 0x000002a0	1	0
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2712 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a4		3221225496
CreateProcessInternalW Nov. 5, 2021, 9:10 a.m.	thread_identifier: 2752 thread_handle: 0x00000298 process_identifier: 2748 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\ConsoleApp16.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000029c	1	1
NtGetContextThread Nov. 5, 2021, 9:10 a.m.	thread_handle: 0x00000298	1	0
NtAllocateVirtualMemory Nov. 5, 2021, 9:10 a.m.	process_identifier: 2748 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000029c	1	0
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª@0îb.cîb.cîb.cZþßcüb.cZþÝcOb.cZþÜcðb.cçªcïb.cpÂécìb.cÕ<-bôb.cÕ<+bÔb.cÕ<*bÌb.cç½cûb.cîb/cÏc.cy<'b±b.c\|<Ñcïb.cy<,bïb.cRichîb.cPEL;Waà 9ü0@ÜTKPÄ8 l8´lXl@0\|.text `.rdatao0p$@@.dataì? @À.tls à¢@À.gfids0ð¤@@.rsrcTKL¨@@.relocÄ8P:ô@B base_address: 0x00400000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: base_address: 0x00401000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: base_address: 0x00453000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¬tE°wEªtE..p¡F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶F<¶Ft¡F@¶F@¶F@¶F@¶F@¶F@¶F@¶Fx¡Fÿÿÿÿ°wE¢F¢F¢F¢F¢Fx¡F0zE°{EEØ¡Fp§FCPSTPDT ¢Fà¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZp§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: ÙôØ?iÝÝ?ÑÝ?Ùw?zÊ@t@G##ÈÝÞÍ(öÐõ??M- ,ÝWÝÖ±ßú»Þ»Þý »#»{\|QnÊã='¢t¨ÄªX¦-ûÅÁÍÞ¼ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: base_address: 0x00470000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: base_address: 0x00475000 process_identifier: 2748 process_handle: 0x0000029c	1	1
WriteProcessMemory Nov. 5, 2021, 9:10 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2748 process_handle: 0x0000029c	1	1
NtSetContextThread Nov. 5, 2021, 9:10 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4389945 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000298 process_identifier: 2748	1	0
NtResumeThread Nov. 5, 2021, 9:10 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2748	1	0

ConsoleApp16.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All