Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 24, 2021, 12:42 p.m.	Dec. 24, 2021, 12:48 p.m.

Size	799.1KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`026c6ed9154e7cfa7329ef6d006f162a`
SHA256	`b2cc06da4ded75a02683e73536f3a0af671b55bc28c9a2627d7afdaac66b9e32`
CRC32	`1C025948`
ssdeep	`12288:fRoeUz2RKfmnC18kfWO6TBVG6zrFDIefOnT:Z4918kfaBZFDI4OnT`
Yara	hide_executable_file - Hide executable file PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

join.pif "C:\Users\test22\AppData\Local\Temp\join.pif"
2876
- AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2256
- AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2460
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\test22\AppData\Local\Temp\join.pif" -Force
  2672

Name	Response	Post-Analysis Lookup
jerenyankipong.duckdns.org	A 129.232.18.35	129.232.18.35
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
129.232.18.35	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
UDP 192.168.56.101:57609 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 24, 2021, 12:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 24, 2021, 12:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 24, 2021, 12:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 24, 2021, 12:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 24, 2021, 12:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 24, 2021, 12:47 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 24, 2021, 12:42 p.m.			0	0
IsDebuggerPresent Dec. 24, 2021, 12:42 p.m.			0	0
IsDebuggerPresent Dec. 24, 2021, 12:47 p.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: Remove-Item : Cannot remove item C:\Users\test22\AppData\Local\Temp\join.pif: A console_handle: 0x00000023	1	1
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: ccess to the path 'C:\Users\test22\AppData\Local\Temp\join.pif' is denied. console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: At line:1 char:30 console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: + Start-Sleep -s 5; Remove-Item <<<< -Path C:\Users\test22\AppData\Local\Temp\ console_handle: 0x00000047	1	1
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: join.pif -Force console_handle: 0x00000053	1	1
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: + CategoryInfo : PermissionDenied: (C:\Users\test22...l\Temp\join console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: .pif:FileInfo) [Remove-Item], UnauthorizedAccessException console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: + FullyQualifiedErrorId : RemoveFileSystemItemUnAuthorizedAccess,Microsoft console_handle: 0x00000077	1	1
WriteConsoleW Dec. 24, 2021, 12:47 p.m.	buffer: .PowerShell.Commands.RemoveItemCommand console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f67f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f67f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f67f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f67f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f67f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f67f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f5c30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f6970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 24, 2021, 12:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 24, 2021, 12:42 p.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Dec. 24, 2021, 12:43 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x4e1d158 0x4e1d08c 0x4e1b629 0x4e18b76 0x4e18435 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x2cb060 @ 0x7213b060 0x48f0ec4 0x531f8c0 0x53155f7 0x7ca7f6 0x7ca04e 0x7c9cae 0x7c9c25 0x7c8753 0x7c7904 0x7c54de 0x7c53fe 0x7c5366 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x7c044d 0x7c0079 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 3064384 registers.edi: 1980555208 registers.eax: 16777216 registers.ebp: 3064588 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Dec. 24, 2021, 12:43 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x4e1d158 0x4e1d08c 0x4e1b629 0x4e18b76 0x4e18435 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x2cb060 @ 0x7213b060 0x48f0ec4 0x531f8c0 0x53155f7 0x7ca7f6 0x7ca04e 0x7c9cae 0x7c9c25 0x7c8753 0x7c7904 0x7c54de 0x7c53fe 0x7c5366 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x7c044d 0x7c0079 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 3064384 registers.edi: 1980555208 registers.eax: 4194304 registers.ebp: 3064588 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Dec. 24, 2021, 12:43 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x4e1d158 0x4e1d08c 0x4e1b629 0x4e18b76 0x4e18435 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x2cb060 @ 0x7213b060 0x48f0ec4 0x531f8c0 0x53155f7 0x7ca7f6 0x7ca04e 0x7c9cae 0x7c9c25 0x7c8753 0x7c7904 0x7c54de 0x7c53fe 0x7c5366 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x7c044d 0x7c0079 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 3064384 registers.edi: 1980555208 registers.eax: 9371648 registers.ebp: 3064588 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ Dec. 24, 2021, 12:43 p.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x7670b37e 0x4e1d158 0x4e1d08c 0x4e1b629 0x4e18b76 0x4e18435 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d mscorlib+0x2cb060 @ 0x7213b060 0x48f0ec4 0x531f8c0 0x53155f7 0x7ca7f6 0x7ca04e 0x7c9cae 0x7c9c25 0x7c8753 0x7c7904 0x7c54de 0x7c53fe 0x7c5366 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72eb1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72eb1737 mscorlib+0x2d3711 @ 0x72143711 mscorlib+0x308f2d @ 0x72178f2d 0x7c044d 0x7c0079 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72e32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72e4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72e42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72ef74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72ef7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72f81dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72f81e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72f81f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72f8416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7488f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x7670b479 registers.esp: 3064384 registers.edi: 1980555208 registers.eax: 569114624 registers.ebp: 3064588 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

jerenyankipong.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 194 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05311000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:42 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
cmdline	powershell Start-Sleep -s 5; Remove-Item -Path "C:\Users\test22\AppData\Local\Temp\join.pif" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\test22\AppData\Local\Temp\join.pif" -Force

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe
file	C:\Users\test22\AppData\Local\Temp\join.pif

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 24, 2021, 12:43 p.m.	thread_identifier: 2316 thread_handle: 0x0000026c process_identifier: 2256 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW Dec. 24, 2021, 12:43 p.m.	thread_identifier: 2484 thread_handle: 0x0000026c process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000280	1	1
ShellExecuteExW Dec. 24, 2021, 12:43 p.m.	show_type: 0 filepath_r: powershell parameters: Start-Sleep -s 5; Remove-Item -Path "C:\Users\test22\AppData\Local\Temp\join.pif" -Force filepath: powershell	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 24, 2021, 12:47 p.m.	snapshot_handle: 0x0000010c process_name: pw.exe process_identifier: 2524	1	1
Process32NextW Dec. 24, 2021, 12:47 p.m.	snapshot_handle: 0x0000010c process_name: join.pif process_identifier: 2876	1	1
Process32NextW Dec. 24, 2021, 12:47 p.m.	snapshot_handle: 0x0000010c process_name: taskhost.exe process_identifier: 2240	1	1
Process32NextW Dec. 24, 2021, 12:47 p.m.	snapshot_handle: 0x0000010c process_name: AdvancedRun.exe process_identifier: 2256	1	1
Process32NextW Dec. 24, 2021, 12:47 p.m.	snapshot_handle: 0x0000010c process_name: TrustedInstaller.exe process_identifier: 2344	1	1
Process32NextW Dec. 24, 2021, 12:47 p.m.	snapshot_handle: 0x0000010c process_name: AdvancedRun.exe process_identifier: 2460	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007de00', u'virtual_address': u'0x00002000', u'entropy': 7.264733603757088, u'name': u'.text', u'virtual_size': u'0x0007dd08'}

entropy

7.26473360376

description

A section with a high entropy has been found

entropy

0.641401273885

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Dec. 24, 2021, 12:43 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 24, 2021, 12:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 24, 2021, 12:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 24, 2021, 12:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (14 events)

description	Communications use DNS	rule	Network_DNS
description	Run a KeyLogger	rule	KeyLogger
description	task schedule	rule	schtasks_Zero
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2716 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0	0

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\join.pif

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 manipulating memory of non-child process 2716
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2716 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 injected into non-child 2716
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄaàb Þ @ à@W À H.textäa b `.rsrc d@@.relocÀl@B base_address: 0x00400000 process_identifier: 2716 process_handle: 0x00000240	1	1	0
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: P8hd ÔÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.3.0.06InternalNameClient.exe&LegalCopyrightLegalTrademarks>OriginalFilenameClient.exe"ProductName4ProductVersion1.3.0.08Assembly Version1.3.0.0t£xï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0045a000 process_identifier: 2716 process_handle: 0x00000240	1	1	0
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: à1 base_address: 0x0045c000 process_identifier: 2716 process_handle: 0x00000240	1	1	0
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2716 process_handle: 0x00000240	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 injected into non-child 2716
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄaàb Þ @ à@W À H.textäa b `.rsrc d@@.relocÀl@B base_address: 0x00400000 process_identifier: 2716 process_handle: 0x00000240	1	1	0

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Lionic	Trojan.MSIL.Crypt.4!c
Elastic	malicious (high confidence)
Cylance	Unsafe
Cybereason	malicious.8f373a
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Generic-7113183-0
Kaspersky	UDS:Trojan-Downloader.MSIL.Seraph.gen
Sophos	Mal/Generic-S
Avira	TR/Dropper.MSIL.Gen8
Kingsoft	Win32.Troj.Undef.(kcloud)
Cynet	Malicious (score: 99)
BitDefenderTheta	Gen:NN.ZemsilF.34084.Xm2@a8vfXSh
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_80% (D)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 called NtSetContextThread to modify thread in remote process 2716
NtSetContextThread Dec. 24, 2021, 12:43 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555230 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2716	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2876 resumed a thread in remote process 2716
NtResumeThread Dec. 24, 2021, 12:43 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2716	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Executed a process and injected code into it, probably while unpacking (20 events)

Time & API	Arguments	Status	Return
NtResumeThread Dec. 24, 2021, 12:42 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread Dec. 24, 2021, 12:42 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2876	1	0
NtResumeThread Dec. 24, 2021, 12:42 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2876	1	0
CreateProcessInternalW Dec. 24, 2021, 12:43 p.m.	thread_identifier: 2316 thread_handle: 0x0000026c process_identifier: 2256 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW Dec. 24, 2021, 12:43 p.m.	thread_identifier: 2484 thread_handle: 0x0000026c process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000280	1	1
CreateProcessInternalW Dec. 24, 2021, 12:43 p.m.	thread_identifier: 2676 thread_handle: 0x000003ac process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\test22\AppData\Local\Temp\join.pif" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003b4	1	1
CreateProcessInternalW Dec. 24, 2021, 12:43 p.m.	thread_identifier: 2712 thread_handle: 0x00000208 process_identifier: 2716 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\join.pif filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000240	1	1
NtGetContextThread Dec. 24, 2021, 12:43 p.m.	thread_handle: 0x00000208	1	0
NtAllocateVirtualMemory Dec. 24, 2021, 12:43 p.m.	process_identifier: 2716 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000240	1	0
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÄaàb Þ @ à@W À H.textäa b `.rsrc d@@.relocÀl@B base_address: 0x00400000 process_identifier: 2716 process_handle: 0x00000240	1	1
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: base_address: 0x00402000 process_identifier: 2716 process_handle: 0x00000240	1	1
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: P8hd ÔÔ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.3.0.06InternalNameClient.exe&LegalCopyrightLegalTrademarks>OriginalFilenameClient.exe"ProductName4ProductVersion1.3.0.08Assembly Version1.3.0.0t£xï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x0045a000 process_identifier: 2716 process_handle: 0x00000240	1	1
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: à1 base_address: 0x0045c000 process_identifier: 2716 process_handle: 0x00000240	1	1
WriteProcessMemory Dec. 24, 2021, 12:43 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2716 process_handle: 0x00000240	1	1
NtSetContextThread Dec. 24, 2021, 12:43 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4555230 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2716	1	0
NtResumeThread Dec. 24, 2021, 12:43 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2716	1	0
NtResumeThread Dec. 24, 2021, 12:47 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Dec. 24, 2021, 12:47 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Dec. 24, 2021, 12:47 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2672	1	0
NtResumeThread Dec. 24, 2021, 12:47 p.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 2672	1	0

join.pif

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All