Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 25, 2023, 6:50 p.m.	July 25, 2023, 7:05 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`87b5d7e79ba17f3819a61ec39099defd`
SHA256	`699a19c6832f8848da4e76fd02f941cd6be4cb615b1bfcbe94205549cf925d8a`
CRC32	`64BE4093`
ssdeep	`24576:s0u5dUmdUhRR6C+Mq/z9bc4d3nUl//Ghus1e4M0EtMqnJnE8V:s0uwTB6C+Mq/RcM3nenGhE0GpnJxV`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

scandk464646464.exe "C:\Users\test22\AppData\Local\Temp\scandk464646464.exe"
1532
- Powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\scandk464646464.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
  2164
- scandk464646464.exe "C:\Users\test22\AppData\Local\Temp\scandk464646464.exe"
  2500
  - Tswbdzzhdxro.exe "C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe"
    2828
    - Powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe'
      2964
    - Tswbdzzhdxro.exe "C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe"
      1000
  - Qputuwjvixr.exe "C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe"
    2868
    - Qputuwjvixr.exe "C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe"
      1960
    - cmd.exe "cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost"
      1676
    - cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
      2692
      - schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
        2856
    - cmd.exe "cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"
      2816

Name	Response	Post-Analysis Lookup
apps.identrust.com	CNAME identrust.edgesuite.net CNAME a1952.dscq.akamai.net A 23.67.53.27 A 23.67.53.17	23.67.53.17
mail.product-secured.com	CNAME product-secured.com A 179.43.183.46	179.43.183.46
softwarez.online	A 5.42.77.168	5.42.77.168
api.ipify.org	A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.211 A 173.231.16.76	64.185.227.156

IP Address	Status	Action
164.124.101.2	Active	Moloch
173.231.16.76	Active	Moloch
179.43.183.46	Active	Moloch
23.67.53.27	Active	Moloch
5.42.77.168	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 173.231.16.76:443 -> 192.168.56.103:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 173.231.16.76:443 -> 192.168.56.103:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 173.231.16.76:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 173.231.16.76:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 5.42.77.168:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 179.43.183.46:587 -> 192.168.56.103:49186	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 179.43.183.46:587 -> 192.168.56.103:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 179.43.183.46:587	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49181 5.42.77.168:443	C=US, O=Let's Encrypt, CN=R3	CN=www.softwarez.online	1c:91:06:45:8e:a4:b3:c4:64:5d:f0:95:e6:29:bb:d2:2a:63:a3:89

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:03 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 25, 2023, 7:04 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (14 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 5:54 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:03 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:04 p.m.			0	0
IsDebuggerPresent July 25, 2023, 7:04 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 90 events)

Time & API	Arguments	Status	Return
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d0d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030db58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030d718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 5:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 7:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00313390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 7:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00313950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 7:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00313950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 7:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00313950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 7:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003130d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 7:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003130d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 7:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003130d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 7:03 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003130d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2023, 5:54 p.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ July 25, 2023, 5:54 p.m.	stacktrace: 0x7b1901 0x7b181a 0x7b1750 0x7b16d0 0x7b1613 0x7b15b7 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x73f59efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x73f59fa2 DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x74080f4d DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73f4bcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73f32ae9 0x7b127b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x73f59efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x73f59fa2 DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x74080f4d DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x73f4bcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x73f32ae9 0x7b1227 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x73f59df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x73f59e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x73f59efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x73f59fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x73fb564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x73f8be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x73f8b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x73f8b726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x73f8bf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x73f8bce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x73f4cca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x73f4cd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x74038841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x73fb14e9 mscorlib+0x2d36ad @ 0x728936ad mscorlib+0x308f2d @ 0x728c8f2d 0x7b1169 0x7b09ef 0x7b09c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x73f570df LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x73fa412e mscorlib+0x2f1c22 @ 0x728b1c22 mscorlib+0x2f1b99 @ 0x728b1b99 mscorlib+0x2f0814 @ 0x728b0814 mscorlib+0x307407 @ 0x728c7407 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a exception.instruction_r: 83 78 04 00 0f 85 4b 2b 00 00 c7 85 dc fd ff ff exception.instruction: cmp dword ptr [eax + 4], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7b2b14 registers.esp: 3656756 registers.edi: 3658196 registers.eax: 0 registers.ebp: 3658208 registers.edx: 0 registers.ebx: 3658592 registers.esi: 3372 registers.ecx: 7825848	1
__exception__ July 25, 2023, 7:03 p.m.	stacktrace: 0x711901 0x71181a 0x711750 0x7116d0 0x711613 0x7115b7 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72f09df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72f09e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72f09efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72f09fa2 DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x73030f4d DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x72efbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72ee2ae9 0x71127b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72f09df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72f09e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72f09efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72f09fa2 DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x73030f4d DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x72efbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x72ee2ae9 0x711227 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72f09df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72f09e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72f09efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72f09fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x72f6564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x72f3be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x72f3b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x72f3b726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x72f3bf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x72f3bce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x72efcca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x72efcd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x72fe8841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x72f614e9 mscorlib+0x2d36ad @ 0x712336ad mscorlib+0x308f2d @ 0x71268f2d 0x711169 0x7109ef 0x7109c6 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 CoUninitializeEE+0x789b CreateAssemblyNameObject-0x63ba clr+0x270df @ 0x72f070df LogHelp_TerminateOnAssert+0x55ee GetPrivateContextsPerfCounters-0x13e54 clr+0x7412e @ 0x72f5412e mscorlib+0x2f1c22 @ 0x71251c22 mscorlib+0x2f1b99 @ 0x71251b99 mscorlib+0x2f0814 @ 0x71250814 mscorlib+0x307407 @ 0x71267407 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a exception.instruction_r: 83 78 04 00 0f 85 4b 2b 00 00 c7 85 dc fd ff ff exception.instruction: cmp dword ptr [eax + 4], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x712b14 registers.esp: 3983268 registers.edi: 3984708 registers.eax: 0 registers.ebp: 3984720 registers.edx: 0 registers.ebx: 3985104 registers.esi: 3372 registers.ecx: 6646200	1
__exception__ July 25, 2023, 7:03 p.m.	stacktrace: 0xaf08dc 0xaf086a 0xaf06e2 0xaf0060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xaf3bc5 registers.esp: 3404440 registers.edi: 3404464 registers.eax: 0 registers.ebp: 3404476 registers.edx: 195 registers.ebx: 39592100 registers.esi: 39596060 registers.ecx: 0	1
__exception__ July 25, 2023, 7:04 p.m.	stacktrace: 0x5b090c 0x5b089a 0x5b0746 0x5b0074 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b3bf5 registers.esp: 3731576 registers.edi: 3731600 registers.eax: 0 registers.ebp: 3731612 registers.edx: 195 registers.ebx: 38281436 registers.esi: 38285396 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 468 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04926000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04928000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04929000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0492a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 1532 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0492b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eb81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eb82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (10 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe
file	C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\scandk464646464.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'
cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost"
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe'
cmdline	"cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe
file	C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe
file	C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2168 thread_handle: 0x00000240 process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\scandk464646464.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000023c	1	1
CreateProcessInternalW July 25, 2023, 7:03 p.m.	thread_identifier: 2968 thread_handle: 0x00000240 process_identifier: 2964 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000023c	1	1
CreateProcessInternalW July 25, 2023, 7:04 p.m.	thread_identifier: 516 thread_handle: 0x00000298 process_identifier: 1676 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002ac	1	1
CreateProcessInternalW July 25, 2023, 7:04 p.m.	thread_identifier: 2708 thread_handle: 0x00000298 process_identifier: 2692 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002b8	1	1
CreateProcessInternalW July 25, 2023, 7:04 p.m.	thread_identifier: 2820 thread_handle: 0x00000298 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd.exe" /C copy "C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe" "C:\Users\test22\AppData\Roaming\svchost\svchost.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000002bc	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 25, 2023, 7:03 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0013fc00', u'virtual_address': u'0x00002000', u'entropy': 7.961105096655022, u'name': u'.text', u'virtual_size': u'0x0013fa54'}

entropy

7.96110509666

description

A section with a high entropy has been found

entropy

0.82756389518

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 25, 2023, 5:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 25, 2023, 5:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 25, 2023, 7:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 25, 2023, 7:03 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 25, 2023, 7:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 25, 2023, 7:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (31 events)

description	Win Trojan AgentTesla	rule	Win_Trojan_AgentTesla_M_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2416 process_handle: 0x00000260		0	0
NtTerminateProcess July 25, 2023, 5:54 p.m.	status_code: 0xffffffff process_identifier: 2416 process_handle: 0x00000260	1	0	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd.exe" /C mkdir "C:\Users\test22\AppData\Roaming\svchost"
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f

One or more of the buffers contains an embedded PE file (5 events)

buffer	Buffer with sha1: ea121214f0c1e113d5c5195cc03bc9940bb30337
buffer	Buffer with sha1: 04a0183e7fd1c548bf7ab5f416625f37b1e2ae65
buffer	Buffer with sha1: de0952778495020c0b3503827eb815a118663362
buffer	Buffer with sha1: 1361e0435f0f166c01277d35f3a146b142ef19f2
buffer	Buffer with sha1: 1c0bdfa732b4d067dc31bfbeef61f81cade01851

Makes SMTP requests, possibly sending spam (1 event)

receiver

[]

sender

[]

server

179.43.183.46

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2416 region_size: 1032192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254		3221225496
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2500 region_size: 1032192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0
NtAllocateVirtualMemory July 25, 2023, 7:03 p.m.	process_identifier: 1000 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
NtAllocateVirtualMemory July 25, 2023, 7:04 p.m.	process_identifier: 1960 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0

A process attempted to delay the analysis task. (2 events)

description	Qputuwjvixr.exe tried to sleep 2728253 seconds, actually delayed analysis time by 2728253 seconds
description	Tswbdzzhdxro.exe tried to sleep 2728224 seconds, actually delayed analysis time by 2728224 seconds

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f
cmdline	"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\test22\AppData\Roaming\svchost\svchost.exe'" /f

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1532 manipulating memory of non-child process 2416
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2416 region_size: 1032192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254		3221225496	0

Potential code injection by writing to the memory of another process (12 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚoºdà*^! @@ À!K`¼% H.textd `.sdata±@@À.rsrc¼%`&@@.reloc .@B base_address: 0x00400000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: 8ª:ðÅ[±R^ÇeaD+¡g£äò¶¤äæÞÂÝ dÅD'9üïöNRfhn M"vµ33m M"¡)avµX0 0*H÷ 0!0 + base_address: 0x004b4000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: `1 base_address: 0x004fa000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ¥dà0Î¦ @ @¦KÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNameda885a07-149c-487c-ae4e-521a587aedfb.exe(LegalCopyright \|)OriginalFilenameda885a07-149c-487c-ae4e-521a587aedfb.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: Ð6 base_address: 0x0042e000 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Å®dà0Î³ @ @x³SÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 1960 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 7:04 p.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamebe7eecf5-dd87-4c94-b371-82f58c0b97ee.exe(LegalCopyright \|)OriginalFilenamebe7eecf5-dd87-4c94-b371-82f58c0b97ee.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 1960 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 7:04 p.m.	buffer: °Ð3 base_address: 0x0042e000 process_identifier: 1960 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 7:04 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1960 process_handle: 0x0000027c	1	1

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚoºdà*^! @@ À!K`¼% H.textd `.sdata±@@À.rsrc¼%`&@@.reloc .@B base_address: 0x00400000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ¥dà0Î¦ @ @¦KÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Å®dà0Î³ @ @x³SÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 1960 process_handle: 0x0000027c	1	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA July 25, 2023, 7:04 p.m.	thread_identifier: 0 callback_function: 0x006c07ea hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131537	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1532 called NtSetContextThread to modify thread in remote process 2500
Process injection	Process 2828 called NtSetContextThread to modify thread in remote process 1000
Process injection	Process 2868 called NtSetContextThread to modify thread in remote process 1960
NtSetContextThread July 25, 2023, 5:54 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4923742 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2500	1	0	0
NtSetContextThread July 25, 2023, 7:03 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368078 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 1000	1	0	0
NtSetContextThread July 25, 2023, 7:04 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4371406 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 1960	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1532 resumed a thread in remote process 2500
Process injection	Process 2828 resumed a thread in remote process 1000
Process injection	Process 2868 resumed a thread in remote process 1960
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2500	1	0	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 1000	1	0	0
NtResumeThread July 25, 2023, 7:04 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 1960	1	0	0

Creates a suspicious Powershell process (2 events)

option	-executionpolicy bypass				value	Attempts to bypass execution policy
option	-executionpolicy bypass				value	Attempts to bypass execution policy

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.87b5d7e79ba17f38
Malwarebytes	Malware.AI.1998692961
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.18e839
BitDefenderTheta	Gen:NN.ZemsilF.36318.Gn0@auSuZDj
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.GLLR
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Backdoor.MSIL.Remcos.gen
Avast	Win32:RATX-gen [Trj]
F-Secure	Heuristic.HEUR/AGEN.1310059
DrWeb	Trojan.Inject4.57973
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Trapmine	suspicious.low.ml.score
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1310059
ZoneAlarm	HEUR:Backdoor.MSIL.Remcos.gen
Cylance	unsafe
Panda	Trj/GdSda.A
Rising	Backdoor.Remcos!8.B89E (TFE:dGZlOgy0Ot9uBHKe3w)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AJAC!tr
AVG	Win32:RATX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (50 out of 81 events)

Time & API	Arguments	Status	Return
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1532	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1532	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1532	1	0
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2168 thread_handle: 0x00000240 process_identifier: 2164 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\scandk464646464.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000023c	1	1
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2420 thread_handle: 0x00000258 process_identifier: 2416 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\scandk464646464.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\scandk464646464.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000254	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000258	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2416 region_size: 1032192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000254		3221225496
CreateProcessInternalW July 25, 2023, 5:54 p.m.	thread_identifier: 2504 thread_handle: 0x00000260 process_identifier: 2500 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\scandk464646464.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\scandk464646464.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000025c	1	1
NtGetContextThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000260	1	0
NtAllocateVirtualMemory July 25, 2023, 5:54 p.m.	process_identifier: 2500 region_size: 1032192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000025c	1	0
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚoºdà*^! @@ À!K`¼% H.textd `.sdata±@@À.rsrc¼%`&@@.reloc .@B base_address: 0x00400000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: base_address: 0x00402000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: 8ª:ðÅ[±R^ÇeaD+¡g£äò¶¤äæÞÂÝ dÅD'9üïöNRfhn M"vµ33m M"¡)avµX0 0*H÷ 0!0 + base_address: 0x004b4000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: base_address: 0x004b6000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: `1 base_address: 0x004fa000 process_identifier: 2500 process_handle: 0x0000025c	1	1
WriteProcessMemory July 25, 2023, 5:54 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2500 process_handle: 0x0000025c	1	1
NtSetContextThread July 25, 2023, 5:54 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4923742 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000260 process_identifier: 2500	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread July 25, 2023, 5:54 p.m.	thread_handle: 0x0000049c suspend_count: 1 process_identifier: 2164	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2500	1	0
CreateProcessInternalW July 25, 2023, 7:03 p.m.	thread_identifier: 2832 thread_handle: 0x000003c4 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003cc	1	1
CreateProcessInternalW July 25, 2023, 7:03 p.m.	thread_identifier: 2872 thread_handle: 0x00000360 process_identifier: 2868 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2828	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2828	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2828	1	0
CreateProcessInternalW July 25, 2023, 7:03 p.m.	thread_identifier: 2968 thread_handle: 0x00000240 process_identifier: 2964 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000023c	1	1
CreateProcessInternalW July 25, 2023, 7:03 p.m.	thread_identifier: 840 thread_handle: 0x00000250 process_identifier: 1000 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\Tswbdzzhdxro.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000258	1	1
NtGetContextThread July 25, 2023, 7:03 p.m.	thread_handle: 0x00000250	1	0
NtAllocateVirtualMemory July 25, 2023, 7:03 p.m.	process_identifier: 1000 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ¥dà0Î¦ @ @¦KÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: base_address: 0x00402000 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNameda885a07-149c-487c-ae4e-521a587aedfb.exe(LegalCopyright \|)OriginalFilenameda885a07-149c-487c-ae4e-521a587aedfb.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: Ð6 base_address: 0x0042e000 process_identifier: 1000 process_handle: 0x00000258	1	1
WriteProcessMemory July 25, 2023, 7:03 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1000 process_handle: 0x00000258	1	1
NtSetContextThread July 25, 2023, 7:03 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368078 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 1000	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 1000	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread July 25, 2023, 7:03 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2868	1	0
CreateProcessInternalW July 25, 2023, 7:04 p.m.	thread_identifier: 2064 thread_handle: 0x00000278 process_identifier: 1960 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\Qputuwjvixr.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtGetContextThread July 25, 2023, 7:04 p.m.	thread_handle: 0x00000278	1	0
NtAllocateVirtualMemory July 25, 2023, 7:04 p.m.	process_identifier: 1960 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0
WriteProcessMemory July 25, 2023, 7:04 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Å®dà0Î³ @ @x³SÀFà H.textÔ `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 1960 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 7:04 p.m.	buffer: base_address: 0x00402000 process_identifier: 1960 process_handle: 0x0000027c	1	1
WriteProcessMemory July 25, 2023, 7:04 p.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamebe7eecf5-dd87-4c94-b371-82f58c0b97ee.exe(LegalCopyright \|)OriginalFilenamebe7eecf5-dd87-4c94-b371-82f58c0b97ee.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 1960 process_handle: 0x0000027c	1	1

scandk464646464.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All