Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2023, 7:14 p.m.	Dec. 11, 2023, 7:31 p.m.

Size	1.0MB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`2360d77f2544609bde963256309a4437`
SHA256	`fb7ce88040b126b2b6db1c1ddfb13313b20e1349fc0ccd6cd7085f40507f3716`
CRC32	`3FF60BAE`
ssdeep	`24576:QCzatigGRPOd6Opc7+iq9ntsjqwJ3+rXzl:QmatL0mfc707z2+rXzl`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) hide_executable_file - Hide executable file UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

1701788303-crptmnr.exe "C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe"
1000

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2023, 7:07 p.m.			0	0
IsDebuggerPresent Dec. 11, 2023, 7:07 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 11, 2023, 7:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000666c70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000666c70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000666c70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bb4a6d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bb4a6d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Dec. 11, 2023, 7:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001bb4a6d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 7:07 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c4b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35b4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00108200', u'virtual_address': u'0x00002000', u'entropy': 7.762601912862614, u'name': u'.text', u'virtual_size': u'0x00108070'}

entropy

7.76260191286

description

A section with a high entropy has been found

entropy

0.998582230624

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 11, 2023, 7:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Allocates execute permission to another process indicative of possible code injection (10 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2280 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000258	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2336 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000025c	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2372 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000264	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2420 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000026c	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2480 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000274	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2516 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000027c	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2556 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000284	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2604 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000028c	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2640 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000294	-1073741800
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2676 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000029c	-1073741800

Manipulates memory of a non-child process indicative of process injection (30 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 1000 manipulating memory of non-child process 2280
Process injection	Process 1000 manipulating memory of non-child process 2336
Process injection	Process 1000 manipulating memory of non-child process 2372
Process injection	Process 1000 manipulating memory of non-child process 2420
Process injection	Process 1000 manipulating memory of non-child process 2480
Process injection	Process 1000 manipulating memory of non-child process 2516
Process injection	Process 1000 manipulating memory of non-child process 2556
Process injection	Process 1000 manipulating memory of non-child process 2604
Process injection	Process 1000 manipulating memory of non-child process 2640
Process injection	Process 1000 manipulating memory of non-child process 2676
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 3313664 process_identifier: 2280 process_handle: 0x0000000000000258	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2280 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000258	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 1675264 process_identifier: 2336 process_handle: 0x000000000000025c	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2336 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000025c	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2330624 process_identifier: 2372 process_handle: 0x0000000000000264	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2372 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000264	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 3510272 process_identifier: 2420 process_handle: 0x000000000000026c	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2420 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000026c	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2461696 process_identifier: 2480 process_handle: 0x0000000000000274	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2480 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000274	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 3117056 process_identifier: 2516 process_handle: 0x000000000000027c	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2516 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000027c	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 3117056 process_identifier: 2556 process_handle: 0x0000000000000284	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2556 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000284	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2330624 process_identifier: 2604 process_handle: 0x000000000000028c	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2604 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000028c	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2985984 process_identifier: 2640 process_handle: 0x0000000000000294	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2640 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000294	-1073741800	0
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2134016 process_identifier: 2676 process_handle: 0x000000000000029c	-1073741799	0
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2676 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000029c	-1073741800	0

Executed a process and injected code into it, probably while unpacking (47 events)

Time & API	Arguments	Status	Return
NtResumeThread Dec. 11, 2023, 7:07 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 1000	1	0
NtResumeThread Dec. 11, 2023, 7:07 p.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 1000	1	0
NtResumeThread Dec. 11, 2023, 7:07 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 1000	1	0
NtResumeThread Dec. 11, 2023, 7:07 p.m.	thread_handle: 0x0000000000000230 suspend_count: 1 process_identifier: 1000	1	0
NtGetContextThread Dec. 11, 2023, 7:07 p.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread Dec. 11, 2023, 7:07 p.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread Dec. 11, 2023, 7:07 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 1000	1	0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2284 thread_handle: 0x0000000000000254 process_identifier: 2280 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x0000000000000258	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 3313664 process_identifier: 2280 process_handle: 0x0000000000000258		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2280 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000258		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2280 process_handle: 0x0000000000000258		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2340 thread_handle: 0x0000000000000260 process_identifier: 2336 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x000000000000025c	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 1675264 process_identifier: 2336 process_handle: 0x000000000000025c		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2336 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000025c		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2336 process_handle: 0x000000000000025c		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2376 thread_handle: 0x0000000000000268 process_identifier: 2372 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x0000000000000264	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2330624 process_identifier: 2372 process_handle: 0x0000000000000264		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2372 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000264		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2372 process_handle: 0x0000000000000264		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2424 thread_handle: 0x0000000000000270 process_identifier: 2420 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x000000000000026c	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 3510272 process_identifier: 2420 process_handle: 0x000000000000026c		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2420 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000026c		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2420 process_handle: 0x000000000000026c		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2484 thread_handle: 0x0000000000000278 process_identifier: 2480 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x0000000000000274	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2461696 process_identifier: 2480 process_handle: 0x0000000000000274		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2480 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000274		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2480 process_handle: 0x0000000000000274		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2520 thread_handle: 0x0000000000000280 process_identifier: 2516 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x000000000000027c	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 3117056 process_identifier: 2516 process_handle: 0x000000000000027c		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2516 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000027c		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2516 process_handle: 0x000000000000027c		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2560 thread_handle: 0x0000000000000288 process_identifier: 2556 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x0000000000000284	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 3117056 process_identifier: 2556 process_handle: 0x0000000000000284		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2556 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000284		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2556 process_handle: 0x0000000000000284		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2608 thread_handle: 0x0000000000000290 process_identifier: 2604 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x000000000000028c	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2330624 process_identifier: 2604 process_handle: 0x000000000000028c		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2604 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000028c		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2604 process_handle: 0x000000000000028c		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2644 thread_handle: 0x0000000000000298 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x0000000000000294	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2985984 process_identifier: 2640 process_handle: 0x0000000000000294		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2640 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000294		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2640 process_handle: 0x0000000000000294		0
CreateProcessInternalW Dec. 11, 2023, 7:07 p.m.	thread_identifier: 2680 thread_handle: 0x00000000000002a0 process_identifier: 2676 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\1701788303-crptmnr.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x000000000000029c	1	1
NtUnmapViewOfSection Dec. 11, 2023, 7:07 p.m.	base_address: 0x0000000000400000 region_size: 2134016 process_identifier: 2676 process_handle: 0x000000000000029c		-1073741799
NtAllocateVirtualMemory Dec. 11, 2023, 7:07 p.m.	process_identifier: 2676 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000029c		-1073741800
WriteProcessMemory Dec. 11, 2023, 7:07 p.m.	buffer: base_address: 0x0000000000400000 process_identifier: 2676 process_handle: 0x000000000000029c		0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W64.AIDetectMalware.CS
Lionic	Trojan.Win32.Seraph.a!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.MSILHeracles.128536
FireEye	Gen:Variant.MSILHeracles.128536
Skyhigh	BehavesLike.Win64.Generic.tc
ALYac	Gen:Variant.MSILHeracles.128536
Malwarebytes	Trojan.Crypt.MSIL.Generic
Sangfor	Downloader.Msil.Kryptik.Vbzp
Alibaba	TrojanDownloader:MSIL/AveMariaRAT.c1566584
VirIT	Trojan.Win64.MSIL_Heur.A
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.GQWK
APEX	Malicious
ClamAV	Win.Trojan.EmbeddedDotNetBinary-9940868-0
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Gen:Variant.MSILHeracles.128536
Avast	Win64:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13f95263
Emsisoft	Gen:Variant.MSILHeracles.128536 (B)
F-Secure	Heuristic.HEUR/AGEN.1325431
DrWeb	Trojan.PackedNET.2567
VIPRE	Gen:Variant.MSILHeracles.128536
TrendMicro	TROJ_GEN.R002C0XL723
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.FL
Varist	W64/MSIL_Kryptik.KGB.gen!Eldorado
Avira	HEUR/AGEN.1325431
Antiy-AVL	Trojan/MSIL.GenKryptik
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:MSIL/AveMariaRAT.O!MTB
Gridinsoft	Ransom.Win64.Sabsik.sa
Xcitium	Malware@#2j3sm4a4mnkq9
Arcabit	Trojan.MSILHeracles.D1F618
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Gen:Variant.MSILHeracles.128536
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C5560632
MAX	malware (ai score=88)
VBA32	TrojanDownloader.MSIL.Seraph
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0XL723
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.74570710.susgen
Fortinet	MSIL/GenKryptik.GNRC!tr
AVG	Win64:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

1701788303-crptmnr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All