Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 10:33 a.m.	May 20, 2022, 10:55 a.m.

Size	894.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`45edc34840d4064a30068fbce08d3216`
SHA256	`fca9c0410b06e1f10b9f1cab03993f58d9f422a4fdf77688a60d87a175738726`
CRC32	`A55B85E0`
ssdeep	`12288:XsLiwILZeepxNdCj2Rh8+kyWvF1XjoiMB4p/zjSgDE4O5FrN7XIC6SI09TeyVvV4:XsL1mTFd9i1RCyDO3H/nEivB8a`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

men.exe "C:\Users\test22\AppData\Local\Temp\men.exe"
2792
- men.exe "C:\Users\test22\AppData\Local\Temp\men.exe"
  2304

Name	Response	Post-Analysis Lookup
ftp.amalgama-com.gq

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:55871 -> 164.124.101.2:53	2025104	ET INFO DNS Query for Suspicious .gq Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 20, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 10:32 a.m.			0	0
IsDebuggerPresent May 20, 2022, 10:32 a.m.			0	0
IsDebuggerPresent May 20, 2022, 10:33 a.m.			0	0
IsDebuggerPresent May 20, 2022, 10:33 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey May 20, 2022, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00726180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00725fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047e128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047e168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047e168 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 20, 2022, 10:32 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ May 20, 2022, 10:33 a.m.	stacktrace: 0x1ff0780 0x1ff06ab 0x1ff0069 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 a3 e7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x1ff0bf3 registers.esp: 3403240 registers.edi: 3403264 registers.eax: 0 registers.ebp: 3403276 registers.edx: 195 registers.ebx: 3403500 registers.esi: 37129520 registers.ecx: 0	1
__exception__ May 20, 2022, 10:33 a.m.	stacktrace: 0x1ff5b16 0x1ff4ba7 0x1ff4a71 0x1ff447b 0x1ff006f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 39 09 e8 b1 e5 52 6c 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5512534 registers.esp: 3402272 registers.edi: 3402320 registers.eax: 0 registers.ebp: 3402336 registers.edx: 3402240 registers.ebx: 37213396 registers.esi: 37213436 registers.ecx: 0	1
__exception__ May 20, 2022, 10:33 a.m.	stacktrace: 0x1ff614c 0x1ff4ba7 0x1ff4a71 0x1ff447b 0x1ff006f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 f2 4f 5a 6c exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5519cce registers.esp: 3402288 registers.edi: 0 registers.eax: 37640828 registers.ebp: 3402336 registers.edx: 37640828 registers.ebx: 37640272 registers.esi: 37640248 registers.ecx: 1904036242	1
__exception__ May 20, 2022, 10:33 a.m.	stacktrace: 0x1ff634e 0x1ff4ba7 0x1ff4a71 0x1ff447b 0x1ff006f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72792652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727a264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727a2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728574ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72857610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728e1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728e1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728e1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728e416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x742ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74907f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74904de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77679ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77679ea5 exception.instruction_r: 39 09 e8 fe 5d 52 6c 83 78 04 00 0f 84 3c 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x551ace7 registers.esp: 3402256 registers.edi: 3402320 registers.eax: 0 registers.ebp: 3402336 registers.edx: 3402224 registers.ebx: 37213396 registers.esi: 37213436 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 96 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:32 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05290000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05291000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x052a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72791000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72792000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 20, 2022, 10:33 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000dd800', u'virtual_address': u'0x00002000', u'entropy': 7.6210194269308875, u'name': u'.text', u'virtual_size': u'0x000dd7f4'}

entropy

7.62101942693

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001c00', u'virtual_address': u'0x000e0000', u'entropy': 7.229104973680781, u'name': u'.rsrc', u'virtual_size': u'0x00001bc8'}

entropy

7.22910497368

description

A section with a high entropy has been found

entropy

0.99944040291

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 20, 2022, 10:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 20, 2022, 10:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (12 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess May 20, 2022, 10:33 a.m.	status_code: 0xffffffff process_identifier: 2176 process_handle: 0x000002d8
NtTerminateProcess May 20, 2022, 10:33 a.m.	status_code: 0xffffffff process_identifier: 2176 process_handle: 0x000002d8	1
NtTerminateProcess May 20, 2022, 10:33 a.m.	status_code: 0xffffffff process_identifier: 2264 process_handle: 0x000002e0
NtTerminateProcess May 20, 2022, 10:33 a.m.	status_code: 0xffffffff process_identifier: 2264 process_handle: 0x000002e0	1

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2176 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8		3221225496
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2264 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0		3221225496
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002dc	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 20, 2022, 10:33 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

men.exe tried to sleep 10912817 seconds, actually delayed analysis time by 10912817 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2792 manipulating memory of non-child process 2176
Process injection	Process 2792 manipulating memory of non-child process 2264
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2176 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	3221225496	0
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2264 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL@{bà<[ @ @ÐZK` H.text$; < `.rsrc`>@@.relocD@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x000002dc	1	1
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: 8Ph `(cê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNamebWRnRVpHEYvwYZYPUpKeUfx.exe(LegalCopyright `OriginalFilenamebWRnRVpHEYvwYZYPUpKeUfx.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00436000 process_identifier: 2304 process_handle: 0x000002dc	1	1
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: P ; base_address: 0x00438000 process_identifier: 2304 process_handle: 0x000002dc	1	1
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2304 process_handle: 0x000002dc	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL@{bà<[ @ @ÐZK` H.text$; < `.rsrc`>@@.relocD@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x000002dc	1	1	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2792 called NtSetContextThread to modify thread in remote process 2304
NtSetContextThread May 20, 2022, 10:33 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4414238 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002e0 process_identifier: 2304	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2792 resumed a thread in remote process 2304
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2304	1	0	0

Executed a process and injected code into it, probably while unpacking (35 events)

Time & API	Arguments	Status	Return
NtResumeThread May 20, 2022, 10:32 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2792	1	0
NtResumeThread May 20, 2022, 10:32 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2792	1	0
NtResumeThread May 20, 2022, 10:32 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2792	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 2792	1	0
CreateProcessInternalW May 20, 2022, 10:33 a.m.	thread_identifier: 2172 thread_handle: 0x000002b4 process_identifier: 2176 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\men.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\men.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtGetContextThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000002b4	1	0
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2176 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8		3221225496
CreateProcessInternalW May 20, 2022, 10:33 a.m.	thread_identifier: 316 thread_handle: 0x000002d8 process_identifier: 2264 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\men.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\men.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtGetContextThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000002d8	1	0
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2264 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0		3221225496
CreateProcessInternalW May 20, 2022, 10:33 a.m.	thread_identifier: 2300 thread_handle: 0x000002e0 process_identifier: 2304 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\men.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\men.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002dc	1	1
NtGetContextThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000002e0	1	0
NtAllocateVirtualMemory May 20, 2022, 10:33 a.m.	process_identifier: 2304 region_size: 237568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002dc	1	0
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL@{bà<[ @ @ÐZK` H.text$; < `.rsrc`>@@.relocD@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x000002dc	1	1
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: base_address: 0x00402000 process_identifier: 2304 process_handle: 0x000002dc	1	1
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: 8Ph `(cê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°äStringFileInfoÀ000004b0,FileDescription 0FileVersion0.0.0.0XInternalNamebWRnRVpHEYvwYZYPUpKeUfx.exe(LegalCopyright `OriginalFilenamebWRnRVpHEYvwYZYPUpKeUfx.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00436000 process_identifier: 2304 process_handle: 0x000002dc	1	1
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: P ; base_address: 0x00438000 process_identifier: 2304 process_handle: 0x000002dc	1	1
WriteProcessMemory May 20, 2022, 10:33 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2304 process_handle: 0x000002dc	1	1
NtSetContextThread May 20, 2022, 10:33 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4414238 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002e0 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 2792	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x00000324 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x0000045c suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x00000564 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:33 a.m.	thread_handle: 0x000005b0 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:34 a.m.	thread_handle: 0x000005a8 suspend_count: 1 process_identifier: 2304	1	0
NtResumeThread May 20, 2022, 10:34 a.m.	thread_handle: 0x00000344 suspend_count: 1 process_identifier: 2304	1	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetectNet.01
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKD.50306948
FireEye	Generic.mg.45edc34840d4064a
McAfee	RDN/Generic PWS.y
Sangfor	Suspicious.Win32.Save.a
BitDefender	Trojan.GenericKD.50306948
BitDefenderTheta	Gen:NN.ZemsilF.34682.3m0@a8dSjwk
Cyren	W32/MSIL_Troj.CDC.gen!Eldorado
Symantec	Scr.Malcode!gdn30
ESET-NOD32	a variant of MSIL/Kryptik.AFDU
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
Ad-Aware	Trojan.GenericKD.50306948
Emsisoft	Trojan.GenericKD.50306948 (B)
McAfee-GW-Edition	BehavesLike.Win32.Trojan.cc
Sophos	Generic ML PUA (PUA)
APEX	Malicious
GData	Trojan.GenericKD.50306948
MAX	malware (ai score=85)
Microsoft	Trojan:Win32/Woreflint.A!cl
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MSILKrypt.R493140
VBA32	CIL.HeapOverride.Heur
ALYac	Gen:Variant.Tedy.121449
Malwarebytes	Trojan.MalPack.PNG.Generic
Ikarus	Trojan.MSIL.Agent
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FUTR!tr
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

men.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All