Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 1, 2024, 7:34 a.m.	April 1, 2024, 7:38 a.m.

Size	390.6KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`f3054dc7004336617747743d172b111b`
SHA256	`56768dc2486a0eadfb82e3df6436434d1b6502d542fe6c41e2b52aae948b140f`
CRC32	`0BB28C38`
ssdeep	`12288:0mpLB0g2B9kBnIS7aqDiF2EzP1h3HLTx9SlIczAvDvv:d0njm/7DDiF/v3ncIc8vDvv`
PDB Path	C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\WorkHardKeepTrying\obj\Release\WorkHardKeepTrying.pdb
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

Akh.exe "C:\Users\test22\AppData\Local\Temp\Akh.exe"
2568
- CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2256
  - 1EqK5UBmfgkna1y9f5Pn8uBm.exe "C:\Users\test22\Pictures\1EqK5UBmfgkna1y9f5Pn8uBm.exe"
    648
  - SpSZpljeAgBOd5nDtyvjI8FY.exe "C:\Users\test22\Pictures\SpSZpljeAgBOd5nDtyvjI8FY.exe"
    1272
  - XTGRVHcKTRAVMPxb8cY2suul.exe "C:\Users\test22\Pictures\XTGRVHcKTRAVMPxb8cY2suul.exe"
    1892
  - e6bOWUu0g4v8btuvKGWKflI4.exe "C:\Users\test22\Pictures\e6bOWUu0g4v8btuvKGWKflI4.exe"
    2296

Name	Response	Post-Analysis Lookup
yip.su	A 104.21.79.77 A 172.67.169.89	172.67.169.89
cacerts.digicert.com	CNAME fp2e7a.wpc.2be4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
namemail.org
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	104.20.67.143
operandotwo.com	A 172.67.160.247 A 104.21.15.5	172.67.160.247
my.foosaby.com
shipofdestiny.com	A 172.67.152.98 A 104.21.32.142	104.21.32.142
apps.identrust.com	CNAME a1952.dscq.akamai.net A 23.210.247.48 A 23.210.247.57 CNAME identrust.edgesuite.net	23.210.247.48
shipbank.org	A 104.21.10.217 A 172.67.146.202	104.21.10.217
net.geo.opera.com	A 107.167.110.211 A 107.167.110.216 CNAME lati.lb.opera.technology CNAME us.net.opera.com	107.167.110.216
sty.ink	A 172.67.200.219 A 104.21.13.170	172.67.200.219
namecloudvideo.org	A 104.21.65.148 A 172.67.164.28	104.21.65.148
lawyerbuyer.org	A 104.21.63.71 A 172.67.170.65	104.21.63.71
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
104.21.13.170	Active	Moloch
104.21.15.5	Active	Moloch
104.21.32.142	Active	Moloch
104.21.63.71	Active	Moloch
104.21.79.77	Active	Moloch
107.167.110.211	Active	Moloch
15.204.49.148	Active	Moloch
152.195.38.76	Active	Moloch
162.159.130.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.146.202	Active	Moloch
172.67.164.28	Active	Moloch
172.67.170.65	Active	Moloch
172.67.200.219	Active	Moloch
172.67.34.170	Active	Moloch
185.172.128.144	Active	Moloch
193.233.132.150	Active	Moloch
23.210.247.48	Active	Moloch
91.92.250.47	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.101:49176 -> 172.67.200.219:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49174 -> 162.159.130.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 104.21.32.142:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 104.21.32.142:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 104.21.13.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 104.21.79.77:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 104.21.63.71:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 172.67.164.28:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 107.167.110.211:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 172.67.34.170:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 104.21.15.5:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 185.172.128.144:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.144:80 -> 192.168.56.101:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.144:80 -> 192.168.56.101:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.144:80 -> 192.168.56.101:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 15.204.49.148:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 172.67.170.65:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 172.67.146.202:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 193.233.132.150:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49176 172.67.200.219:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=sty.ink	04:26:33:35:60:d1:f5:25:d0:36:d3:b3:77:b5:a1:0c:0c:02:8e:18
TLS 1.2 192.168.56.101:49174 162.159.130.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=discordapp.com	97:8b:ee:ad:1e:bf:a1:69:e7:94:29:f7:55:7a:29:64:19:c7:81:39
TLS 1.2 192.168.56.101:49173 104.21.32.142:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=shipofdestiny.com	e5:3d:dd:1e:cc:3d:fe:a7:68:cc:b6:93:8f:07:8c:8d:72:d0:79:30
TLS 1.2 192.168.56.101:49171 104.21.32.142:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=shipofdestiny.com	e5:3d:dd:1e:cc:3d:fe:a7:68:cc:b6:93:8f:07:8c:8d:72:d0:79:30
TLS 1.2 192.168.56.101:49177 104.21.13.170:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=sty.ink	04:26:33:35:60:d1:f5:25:d0:36:d3:b3:77:b5:a1:0c:0c:02:8e:18
TLS 1.2 192.168.56.101:49178 104.21.79.77:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=yip.su	b1:73:ed:bb:05:91:b3:14:34:7d:d1:3c:92:7f:db:a1:84:c3:2f:a9
TLS 1.2 192.168.56.101:49182 104.21.63.71:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=lawyerbuyer.org	25:ed:e3:0d:c2:97:7f:8c:70:54:9f:be:63:e9:c7:7a:00:fa:04:aa
TLS 1.2 192.168.56.101:49175 172.67.164.28:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=namecloudvideo.org	64:a9:49:8d:88:8e:5c:14:98:b7:7e:a9:3f:11:a9:e4:1f:d1:ee:aa
TLS 1.2 192.168.56.101:49184 107.167.110.211:443	C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1	C=NO, ST=Oslo, L=Oslo, O=Opera Norway AS, CN=net.geo.opera.com	c0:94:e3:ed:b1:ae:5a:e8:e1:06:b2:20:8f:c1:d4:af:5b:25:65:0f
TLS 1.2 192.168.56.101:49165 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:c8:82:61:30:05:42:80:db:47:5e:d0:66:b5:df:ac:14:5b:19:6f
TLS 1.2 192.168.56.101:49172 104.21.15.5:443	C=US, O=Let's Encrypt, CN=E1	CN=operandotwo.com	dc:13:e0:0f:10:db:3f:8d:e5:db:4d:1e:f7:4e:de:dd:66:84:97:be
TLS 1.2 192.168.56.101:49181 172.67.170.65:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=lawyerbuyer.org	25:ed:e3:0d:c2:97:7f:8c:70:54:9f:be:63:e9:c7:7a:00:fa:04:aa
TLS 1.2 192.168.56.101:49183 172.67.146.202:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=shipbank.org	87:3f:1d:95:3c:42:06:99:73:d8:4f:34:44:de:48:4f:26:b1:a1:a7

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 1, 2024, 7:26 a.m.			0	0
IsDebuggerPresent April 1, 2024, 7:26 a.m.			0	0
IsDebuggerPresent April 1, 2024, 7:35 a.m.			0	0
IsDebuggerPresent April 1, 2024, 7:35 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey April 1, 2024, 7:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000036dff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 1, 2024, 7:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000036df80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 1, 2024, 7:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000036df80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 1, 2024, 7:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000036e7d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey April 1, 2024, 7:27 a.m.	buffer: f "î¡Ð¯p´\%Çî1«t+¡í* crypto_handle: 0x000000000036e7d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey April 1, 2024, 7:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000036ea70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 1, 2024, 7:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000036ea70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 1, 2024, 7:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000036ea70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\WorkHardKeepTrying\obj\Release\WorkHardKeepTrying.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 1, 2024, 7:26 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 1, 2024, 7:28 a.m.	stacktrace: RtlInitUnicodeStringEx+0x24 RtlFreeAnsiString-0x22c ntdll+0x553e4 @ 0x76d853e4 BasepCheckBadapp+0xa2b LCMapStringW-0x785 kernel32+0x2064b @ 0x76c3064b CreateProcessInternalW+0x7dc BasepCheckBadapp-0xc94 kernel32+0x1ef8c @ 0x76c2ef8c New_kernel32_CreateProcessInternalW+0x208 New_kernel32_CreateRemoteThread-0x198 @ 0x73989b5a CreateProcessW+0x6c NeedCurrentDirectoryForExePathW-0x14 kernel32+0x21c1c @ 0x76c31c1c 0x7fe943d14a7 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83 mscorlib+0x563bfc @ 0x7fef2903bfc mscorlib+0x486001 @ 0x7fef2826001 0x7fe943bda75 0x7fe943bd30b 0x7fe943bcabf 0x7fe943b897d 0x7fe943b85f4 0x7fe943b7c6d 0x7fe943ce62b 0x7fe943d1317 0x7fe943d097d CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83 mscorlib+0x563c95 @ 0x7fef2903c95 mscorlib+0x486001 @ 0x7fef2826001 0x7fe943bda75 0x7fe943bd30b 0x7fe943bcabf 0x7fe943b897d 0x7fe943b85f4 0x7fe943b7c6d 0x7fe943b4e2c 0x7fe943cd102 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83 mscorlib+0x563c95 @ 0x7fef2903c95 mscorlib+0x486001 @ 0x7fef2826001 mscorlib+0x48c543 @ 0x7fef282c543 0x7fe94430bd0 system+0x2e8e84 @ 0x7feefb98e84 PreBindAssemblyEx+0xb953 CreateHistoryReader-0x67311 clr+0x10e747 @ 0x7fef3b3e747 0x7fe943b107b 0x7fe943b08e4 system+0x2753fa @ 0x7fef04d53fa system+0x30a7f9 @ 0x7fef056a7f9 system+0x2f5af4 @ 0x7fef0555af4 system+0x2f5894 @ 0x7fef0555894 system+0x308bc4 @ 0x7fef0568bc4 system+0x2f856b @ 0x7fef055856b system+0x306acb @ 0x7fef0566acb system+0x2f808a @ 0x7fef055808a system+0x8f83f7 @ 0x7fef0b583f7 DestroyAssemblyConfigCookie+0x132aa PreBindAssembly-0xe5a6 clr+0xf482e @ 0x7fef3b2482e TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1 SetWindowTextW+0x277 SetWindowLongPtrW-0x3f5 user32+0x172cb @ 0x769c72cb IsDialogMessageW+0x169 SetTimer-0x107 user32+0x16829 @ 0x769c6829 KiUserCallbackDispatcher+0x1f KiUserExceptionDispatcher-0x25 ntdll+0x51225 @ 0x76d81225 ShowWindow+0xa LoadMenuIndirectA-0xa6e user32+0x1193a @ 0x769c193a system+0x324bc7 @ 0x7fef0584bc7 system+0x2f43b9 @ 0x7fef05543b9 exception.instruction_r: 66 f2 af 48 8b 3c 24 48 f7 d1 48 ff c9 48 81 f9 exception.symbol: RtlInitUnicodeStringEx+0x24 RtlFreeAnsiString-0x22c ntdll+0x553e4 exception.instruction: scasw ax, word ptr [rdi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 349156 exception.address: 0x76d853e4 registers.r14: 2092024 registers.r15: 4 registers.rcx: 8789990646192 registers.rsi: 8791534525312 registers.r10: 29555246222803002 registers.rbx: 39777752 registers.rsp: 2090880 registers.r11: 466025884 registers.r8: 42075800 registers.r9: 0 registers.rdx: 41586568 registers.r12: 0 registers.rbp: 2090928 registers.rdi: 39777537 registers.rax: 0 registers.r13: 2092368	1	0	0
__exception__ April 1, 2024, 7:28 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d PreBindAssemblyEx+0x35208 CreateHistoryReader-0x3da5c clr+0x137ffc @ 0x7fef3b67ffc PreBindAssemblyEx+0x35256 CreateHistoryReader-0x3da0e clr+0x13804a @ 0x7fef3b6804a PreBindAssemblyEx+0x35261 CreateHistoryReader-0x3da03 clr+0x138055 @ 0x7fef3b68055 system+0x305edd @ 0x7fef0565edd system+0x31132a @ 0x7fef057132a system+0x31107f @ 0x7fef057107f 0x7fe943b0450 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef3a7f30b _CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef3c1721c _CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef3c17976 _CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef3c17870 _CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef3c173e6 _CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef3c1733e _CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef3c13ed4 _CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef4e874e5 _CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef4f25b21 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc0000005 exception.offset: 42141 exception.address: 0x7fefd4fa49d registers.r14: 0 registers.r15: 0 registers.rcx: 2087664 registers.rsi: 0 registers.r10: 8791535279837 registers.rbx: 0 registers.rsp: 2095408 registers.r11: 2089280 registers.r8: 0 registers.r9: 0 registers.rdx: 8791597689136 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1996069374 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 1, 2024, 7:28 a.m.

stacktrace:

RtlInitUnicodeStringEx+0x24 RtlFreeAnsiString-0x22c ntdll+0x553e4 @ 0x76d853e4
BasepCheckBadapp+0xa2b LCMapStringW-0x785 kernel32+0x2064b @ 0x76c3064b
CreateProcessInternalW+0x7dc BasepCheckBadapp-0xc94 kernel32+0x1ef8c @ 0x76c2ef8c
New_kernel32_CreateProcessInternalW+0x208 New_kernel32_CreateRemoteThread-0x198 @ 0x73989b5a
CreateProcessW+0x6c NeedCurrentDirectoryForExePathW-0x14 kernel32+0x21c1c @ 0x76c31c1c
0x7fe943d14a7
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83
mscorlib+0x563bfc @ 0x7fef2903bfc
mscorlib+0x486001 @ 0x7fef2826001
0x7fe943bda75
0x7fe943bd30b
0x7fe943bcabf
0x7fe943b897d
0x7fe943b85f4
0x7fe943b7c6d
0x7fe943ce62b
0x7fe943d1317
0x7fe943d097d
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83
mscorlib+0x563c95 @ 0x7fef2903c95
mscorlib+0x486001 @ 0x7fef2826001
0x7fe943bda75
0x7fe943bd30b
0x7fe943bcabf
0x7fe943b897d
0x7fe943b85f4
0x7fe943b7c6d
0x7fe943b4e2c
0x7fe943cd102
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242
StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042
StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83
mscorlib+0x563c95 @ 0x7fef2903c95
mscorlib+0x486001 @ 0x7fef2826001
mscorlib+0x48c543 @ 0x7fef282c543
0x7fe94430bd0
system+0x2e8e84 @ 0x7feefb98e84
PreBindAssemblyEx+0xb953 CreateHistoryReader-0x67311 clr+0x10e747 @ 0x7fef3b3e747
0x7fe943b107b
0x7fe943b08e4
system+0x2753fa @ 0x7fef04d53fa
system+0x30a7f9 @ 0x7fef056a7f9
system+0x2f5af4 @ 0x7fef0555af4
system+0x2f5894 @ 0x7fef0555894
system+0x308bc4 @ 0x7fef0568bc4
system+0x2f856b @ 0x7fef055856b
system+0x306acb @ 0x7fef0566acb
system+0x2f808a @ 0x7fef055808a
system+0x8f83f7 @ 0x7fef0b583f7
DestroyAssemblyConfigCookie+0x132aa PreBindAssembly-0xe5a6 clr+0xf482e @ 0x7fef3b2482e
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x769c9bd1
SetWindowTextW+0x277 SetWindowLongPtrW-0x3f5 user32+0x172cb @ 0x769c72cb
IsDialogMessageW+0x169 SetTimer-0x107 user32+0x16829 @ 0x769c6829
KiUserCallbackDispatcher+0x1f KiUserExceptionDispatcher-0x25 ntdll+0x51225 @ 0x76d81225
ShowWindow+0xa LoadMenuIndirectA-0xa6e user32+0x1193a @ 0x769c193a
system+0x324bc7 @ 0x7fef0584bc7
system+0x2f43b9 @ 0x7fef05543b9

exception.instruction_r: 66 f2 af 48 8b 3c 24 48 f7 d1 48 ff c9 48 81 f9
exception.symbol: RtlInitUnicodeStringEx+0x24 RtlFreeAnsiString-0x22c ntdll+0x553e4
exception.instruction: scasw ax, word ptr [rdi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 349156
exception.address: 0x76d853e4
registers.r14: 2092024
registers.r15: 4
registers.rcx: 8789990646192
registers.rsi: 8791534525312
registers.r10: 29555246222803002
registers.rbx: 39777752
registers.rsp: 2090880
registers.r11: 466025884
registers.r8: 42075800
registers.r9: 0
registers.rdx: 41586568
registers.r12: 0
registers.rbp: 2090928
registers.rdi: 39777537
registers.rax: 0
registers.r13: 2092368

__exception__

April 1, 2024, 7:28 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefd4fa49d
PreBindAssemblyEx+0x35208 CreateHistoryReader-0x3da5c clr+0x137ffc @ 0x7fef3b67ffc
PreBindAssemblyEx+0x35256 CreateHistoryReader-0x3da0e clr+0x13804a @ 0x7fef3b6804a
PreBindAssemblyEx+0x35261 CreateHistoryReader-0x3da03 clr+0x138055 @ 0x7fef3b68055
system+0x305edd @ 0x7fef0565edd
system+0x31132a @ 0x7fef057132a
system+0x31107f @ 0x7fef057107f
0x7fe943b0450
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef3a7f30b
_CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef3c1721c
_CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef3c17976
_CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef3c17870
_CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef3c173e6
_CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef3c1733e
_CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef3c13ed4
_CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef4e874e5
_CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef4f25b21
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000005
exception.offset: 42141
exception.address: 0x7fefd4fa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 2087664
registers.rsi: 0
registers.r10: 8791535279837
registers.rbx: 0
registers.rsp: 2095408
registers.r11: 2089280
registers.r8: 0
registers.r9: 0
registers.rdx: 8791597689136
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1996069374
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://15.204.49.148/files/Amadey.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.144/ISetup10.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://193.233.132.150/Second2.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767_789
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/xYhKBupz
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/1211836107881447426/1222381674403201055/crypted.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://shipofdestiny.com/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://sty.ink/j903q
suspicious_features	GET method with no useragent header	suspicious_request	GET https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://sty.ink/ieer6
suspicious_features	GET method with no useragent header	suspicious_request	GET https://yip.su/RNWPd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://lawyerbuyer.org/7be3fd16e688515edcc0939fa9cb026c/baf14778c246e15550645e30ba78ce1c.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://shipbank.org/7be3fd16e688515edcc0939fa9cb026c/3eef203fb515bda85f514e168abb5973.exe

Performs some HTTP requests (15 events)

request	GET http://15.204.49.148/files/Amadey.exe
request	GET http://185.172.128.144/ISetup10.exe
request	GET http://193.233.132.150/Second2.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767_789
request	GET http://cacerts.digicert.com/DigiCertGlobalRootG3.crt
request	GET https://pastebin.com/raw/xYhKBupz
request	GET https://cdn.discordapp.com/attachments/1211836107881447426/1222381674403201055/crypted.exe
request	GET https://shipofdestiny.com/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://sty.ink/j903q
request	GET https://namecloudvideo.org/3eef203fb515bda85f514e168abb5973.exe
request	GET https://sty.ink/ieer6
request	GET https://yip.su/RNWPd.exe
request	GET https://lawyerbuyer.org/7be3fd16e688515edcc0939fa9cb026c/baf14778c246e15550645e30ba78ce1c.exe
request	GET https://shipbank.org/7be3fd16e688515edcc0939fa9cb026c/3eef203fb515bda85f514e168abb5973.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 160 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9433c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94366000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94282000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 1, 2024, 7:26 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:27 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:27 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:27 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:27 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 1, 2024, 7:27 a.m.	process_identifier: 2568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (21 events)

file	C:\Users\test22\AppData\Local\Km16ZdNifRZqZC383k9UsxfF.exe
file	C:\Users\test22\AppData\Local\Wuz0vjuwIqzywLIIoA8dNu8B.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PKBUVV1GZCyfuckhCDUlnyFs.bat
file	C:\Users\test22\Pictures\bPUK4cVaayh1kcBs6MD682U7.exe
file	C:\Users\test22\Pictures\XTGRVHcKTRAVMPxb8cY2suul.exe
file	C:\Users\test22\AppData\Local\ZaaJZWXbESbfhMRJZMt5199m.exe
file	C:\Users\test22\Pictures\4I1LPjSWHw0dRdm14B8cpxsz.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\miw4ZVVPblOYycNZaJhP86Pm.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G6Mu6oXYs7XFPDNPe2B5VTyg.bat
file	C:\Users\test22\AppData\Local\u73syWWCN2v7vXbbd0n85kol.exe
file	C:\Users\test22\Pictures\1EqK5UBmfgkna1y9f5Pn8uBm.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LkmrRZnnjeGWTflQ08KYg2vW.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyTw2Tni4XMk7n8qK0ia81rv.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cj4DmDxGCDVoe7yHhUg36AVC.bat
file	C:\Users\test22\AppData\Local\8TescunqSJdJBKV9Px7A5Wy8.exe
file	C:\Users\test22\AppData\Local\K9y6iDbBLxt5pm8baeXZ1Uc4.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rcJHPw3Tj3orr1poJ8BkKpRW.bat
file	C:\Users\test22\Pictures\e6bOWUu0g4v8btuvKGWKflI4.exe
file	C:\Users\test22\AppData\Local\zQzExX9PHh5xndnkVjFaCUQT.exe
file	C:\Users\test22\Pictures\2zyozPmmwykliZbwysYuXnYM.exe
file	C:\Users\test22\Pictures\SpSZpljeAgBOd5nDtyvjI8FY.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 1, 2024, 7:35 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\4I1LPjSWHw0dRdm14B8cpxsz.exe parameters: filepath: C:\Users\test22\Pictures\4I1LPjSWHw0dRdm14B8cpxsz.exe		0
ShellExecuteExW April 1, 2024, 7:35 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\2zyozPmmwykliZbwysYuXnYM.exe parameters: filepath: C:\Users\test22\Pictures\2zyozPmmwykliZbwysYuXnYM.exe		0
ShellExecuteExW April 1, 2024, 7:35 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\bPUK4cVaayh1kcBs6MD682U7.exe parameters: filepath: C:\Users\test22\Pictures\bPUK4cVaayh1kcBs6MD682U7.exe		0
ShellExecuteExW April 1, 2024, 7:35 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\1EqK5UBmfgkna1y9f5Pn8uBm.exe parameters: filepath: C:\Users\test22\Pictures\1EqK5UBmfgkna1y9f5Pn8uBm.exe	1	1
ShellExecuteExW April 1, 2024, 7:35 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\SpSZpljeAgBOd5nDtyvjI8FY.exe parameters: filepath: C:\Users\test22\Pictures\SpSZpljeAgBOd5nDtyvjI8FY.exe	1	1
ShellExecuteExW April 1, 2024, 7:35 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\XTGRVHcKTRAVMPxb8cY2suul.exe parameters: filepath: C:\Users\test22\Pictures\XTGRVHcKTRAVMPxb8cY2suul.exe	1	1
ShellExecuteExW April 1, 2024, 7:35 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\e6bOWUu0g4v8btuvKGWKflI4.exe parameters: filepath: C:\Users\test22\Pictures\e6bOWUu0g4v8btuvKGWKflI4.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 1, 2024, 7:35 a.m.	flags: 15 family: 0		111	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 766f72a8de8b2d077c470a9fd12e54be042c986a
buffer	Buffer with sha1: 40e255f1e8e57255424d43f33fe768e40242e736

Communicates with host for which no DNS query was performed (4 events)

host	15.204.49.148
host	185.172.128.144
host	193.233.132.150
host	91.92.250.47

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 1, 2024, 7:28 a.m.	process_identifier: 2256 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002f4	1	0	0

Installs itself for autorun at Windows startup (7 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\miw4ZVVPblOYycNZaJhP86Pm.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LkmrRZnnjeGWTflQ08KYg2vW.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HyTw2Tni4XMk7n8qK0ia81rv.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cj4DmDxGCDVoe7yHhUg36AVC.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rcJHPw3Tj3orr1poJ8BkKpRW.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PKBUVV1GZCyfuckhCDUlnyFs.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G6Mu6oXYs7XFPDNPe2B5VTyg.bat

Drops a binary and executes it (4 events)

file	C:\Users\test22\Pictures\4I1LPjSWHw0dRdm14B8cpxsz.exe
file	C:\Users\test22\Pictures\1EqK5UBmfgkna1y9f5Pn8uBm.exe
file	C:\Users\test22\Pictures\XTGRVHcKTRAVMPxb8cY2suul.exe
file	C:\Users\test22\Pictures\e6bOWUu0g4v8btuvKGWKflI4.exe

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELLgøà"03 @@ @83O@Ü`3 H.text `.rsrcÜ@@@.reloc`(@B base_address: 0x0000000000400000 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: 03 base_address: 0x0000000000406000 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELLgøà"03 @@ @83O@Ü`3 H.text `.rsrcÜ@@@.reloc`(@B base_address: 0x0000000000400000 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2568 resumed a thread in remote process 2256
NtResumeThread April 1, 2024, 7:28 a.m.	thread_handle: 0x00000000000002f0 suspend_count: 1 process_identifier: 2256	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

91.92.250.47:80

Executed a process and injected code into it, probably while unpacking (50 out of 55 events)

Time & API	Arguments	Status	Return
NtResumeThread April 1, 2024, 7:26 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2568	1	0
NtResumeThread April 1, 2024, 7:26 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2568	1	0
NtResumeThread April 1, 2024, 7:26 a.m.	thread_handle: 0x0000000000000180 suspend_count: 1 process_identifier: 2568	1	0
NtResumeThread April 1, 2024, 7:28 a.m.	thread_handle: 0x00000000000002c0 suspend_count: 1 process_identifier: 2568	1	0
NtGetContextThread April 1, 2024, 7:28 a.m.	thread_handle: 0x00000000000000d0	1	0
NtGetContextThread April 1, 2024, 7:28 a.m.	thread_handle: 0x00000000000000d0	1	0
NtResumeThread April 1, 2024, 7:28 a.m.	thread_handle: 0x00000000000000d0 suspend_count: 1 process_identifier: 2568	1	0
NtResumeThread April 1, 2024, 7:28 a.m.	thread_handle: 0x00000000000002d4 suspend_count: 1 process_identifier: 2568	1	0
NtResumeThread April 1, 2024, 7:28 a.m.	thread_handle: 0x00000000000002ec suspend_count: 1 process_identifier: 2568	1	0
CreateProcessInternalW April 1, 2024, 7:28 a.m.	thread_identifier: 2204 thread_handle: 0x00000000000002f0 process_identifier: 2256 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000002f4	1	1
NtUnmapViewOfSection April 1, 2024, 7:28 a.m.	base_address: 0x0000000000400000 region_size: 10682368 process_identifier: 2256 process_handle: 0x00000000000002f4		-1073741799
NtAllocateVirtualMemory April 1, 2024, 7:28 a.m.	process_identifier: 2256 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000002f4	1	0
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELLgøà"03 @@ @83O@Ü`3 H.text `.rsrcÜ@@@.reloc`(@B base_address: 0x0000000000400000 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: base_address: 0x0000000000402000 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: base_address: 0x0000000000404000 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: 03 base_address: 0x0000000000406000 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1
WriteProcessMemory April 1, 2024, 7:28 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2256 process_handle: 0x00000000000002f4	1	1
NtResumeThread April 1, 2024, 7:28 a.m.	thread_handle: 0x00000000000002f0 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000001d0 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000005e0 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000608 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x0000061c suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000630 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000644 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000658 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000006a8 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000006f8 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x0000071c suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000738 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000764 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000790 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000007bc suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000824 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000850 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000774 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000006bc suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000928 suspend_count: 1 process_identifier: 2256	1	0
CreateProcessInternalW April 1, 2024, 7:35 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\4I1LPjSWHw0dRdm14B8cpxsz.exe track: 0 command_line: "C:\Users\test22\Pictures\4I1LPjSWHw0dRdm14B8cpxsz.exe" filepath_r: C:\Users\test22\Pictures\4I1LPjSWHw0dRdm14B8cpxsz.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW April 1, 2024, 7:35 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\2zyozPmmwykliZbwysYuXnYM.exe track: 0 command_line: "C:\Users\test22\Pictures\2zyozPmmwykliZbwysYuXnYM.exe" filepath_r: C:\Users\test22\Pictures\2zyozPmmwykliZbwysYuXnYM.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000778 suspend_count: 1 process_identifier: 2256	1	0
CreateProcessInternalW April 1, 2024, 7:35 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\bPUK4cVaayh1kcBs6MD682U7.exe track: 0 command_line: "C:\Users\test22\Pictures\bPUK4cVaayh1kcBs6MD682U7.exe" filepath_r: C:\Users\test22\Pictures\bPUK4cVaayh1kcBs6MD682U7.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x0000086c suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x000009d4 suspend_count: 1 process_identifier: 2256	1	0
CreateProcessInternalW April 1, 2024, 7:35 a.m.	thread_identifier: 232 thread_handle: 0x000009bc process_identifier: 648 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\1EqK5UBmfgkna1y9f5Pn8uBm.exe track: 1 command_line: "C:\Users\test22\Pictures\1EqK5UBmfgkna1y9f5Pn8uBm.exe" filepath_r: C:\Users\test22\Pictures\1EqK5UBmfgkna1y9f5Pn8uBm.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000a1c	1	1
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000690 suspend_count: 1 process_identifier: 2256	1	0
NtResumeThread April 1, 2024, 7:35 a.m.	thread_handle: 0x00000708 suspend_count: 1 process_identifier: 2256	1	0

Akh.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All