Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 18, 2024, 7:34 a.m.	June 18, 2024, 7:37 a.m.

Size	98.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9ea3d152c4e248841abf4f490a84b8c9`
SHA256	`1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0`
CRC32	`E9719ABC`
ssdeep	`1536:+A4Lk8u2qHlllllllOdQlwEn+glllllllllllllllllll5xw5ll:RMtYwiVxw5ll`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

IMG_812_06108.exe "C:\Users\test22\AppData\Local\Temp\IMG_812_06108.exe"
800
- cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2552
  - ipconfig.exe ipconfig /release
    2612
- IMG_812_06108.exe "C:\Users\test22\AppData\Local\Temp\IMG_812_06108.exe"
  2796
- cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2868
  - ipconfig.exe ipconfig /renew
    2948

Name	Response	Post-Analysis Lookup
api.ipify.org	A 104.26.13.205 A 172.67.74.152 A 104.26.12.205	172.67.74.152

IP Address	Status	Action
104.26.13.205	Active	Moloch
164.124.101.2	Active	Moloch
78.111.67.189	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 78.111.67.189:80 -> 192.168.56.103:49161	2017962	ET MALWARE PE EXE or DLL Windows file download disguised as ASCII	A Network Trojan was detected
TCP 78.111.67.189:80 -> 192.168.56.103:49161	2022640	ET MALWARE PE EXE or DLL Windows file download Text M2	A Network Trojan was detected
TCP 78.111.67.189:80 -> 192.168.56.103:49161	2035769	ET HUNTING [TW] Likely Hex Executable String	Misc activity
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49170 -> 104.26.13.205:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49170 -> 104.26.13.205:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 78.111.67.189:80 -> 192.168.56.103:49161	2012252	ET SHELLCODE Common 0a0a0a0a Heap Spray String	Executable code was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49170 104.26.13.205:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=ipify.org	d7:26:8f:42:ea:20:0d:40:ec:e2:9c:42:dd:94:45:64:2a:b8:c6:ce

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 18, 2024, 7:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 18, 2024, 7:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 18, 2024, 7:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 18, 2024, 7:35 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 18, 2024, 7:34 a.m.			0	0
IsDebuggerPresent June 18, 2024, 7:34 a.m.			0	0
IsDebuggerPresent June 18, 2024, 7:35 a.m.			0	0
IsDebuggerPresent June 18, 2024, 7:35 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 18, 2024, 7:35 a.m.	buffer: Windows IP Configuration console_handle: 0x00000007	1	1
WriteConsoleW June 18, 2024, 7:35 a.m.	buffer: The operation failed as no adapter is in the state permissible for this operation. console_handle: 0x00000007	1	1
WriteConsoleW June 18, 2024, 7:35 a.m.	buffer: Windows IP Configuration console_handle: 0x00000007	1	1
WriteConsoleW June 18, 2024, 7:35 a.m.	buffer: The operation failed as no adapter is in the state permissible for this operation. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (10 events)

Time & API	Arguments	Status	Return
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: f ]ÍoCÆ«ã¯ÌÆ¢M<ßHéÖëD/¡p+Ë2 crypto_handle: 0x00410cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004111f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00410c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey June 18, 2024, 7:35 a.m.	buffer: f ]ÍoCÆ«ã¯ÌÆ¢M<ßHéÖëD/¡p+Ë2 crypto_handle: 0x00410c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 18, 2024, 7:34 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 18, 2024, 7:35 a.m.	stacktrace: 0x7d0694 0x7d05d5 0x7d0455 0x7d0070 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7d393f registers.esp: 4060168 registers.edi: 4060192 registers.eax: 0 registers.ebp: 4060204 registers.edx: 195 registers.ebx: 4060452 registers.esi: 41243224 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 18, 2024, 7:35 a.m.

stacktrace:

0x7d0694
0x7d05d5
0x7d0455
0x7d0070
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f32652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f4264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f42e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73ff74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73ff7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74081dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74081e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74081f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7408416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74867f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74864de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7d393f
registers.esp: 4060168
registers.edi: 4060192
registers.eax: 0
registers.ebp: 4060204
registers.edx: 195
registers.ebx: 4060452
registers.esi: 41243224
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://78.111.67.189/ecg/Hiwpwthq.mp4

Performs some HTTP requests (2 events)

request	GET http://78.111.67.189/ecg/Hiwpwthq.mp4
request	GET https://api.ipify.org/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 170 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:34 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05371000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05372000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05373000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05374000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05375000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05376000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05377000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c ipconfig /release
cmdline	"C:\Windows\System32\cmd.exe" /c ipconfig /renew

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 18, 2024, 7:35 a.m.	show_type: 0 filepath_r: cmd parameters: /c ipconfig /release filepath: cmd	1	1	0
ShellExecuteExW June 18, 2024, 7:35 a.m.	show_type: 0 filepath_r: cmd parameters: /c ipconfig /renew filepath: cmd	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 18, 2024, 7:34 a.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 18, 2024, 7:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 18, 2024, 7:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 18, 2024, 7:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (13 events)

description	Win Trojan AgentTesla	rule	Win_Trojan_AgentTesla_M_B_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 18, 2024, 7:35 a.m.	status_code: 0xffffffff process_identifier: 800 process_handle: 0x00000234		0	0
NtTerminateProcess June 18, 2024, 7:35 a.m.	status_code: 0xffffffff process_identifier: 800 process_handle: 0x00000234	1	0	0

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	ipconfig /renew
cmdline	ipconfig /release
cmdline	"C:\Windows\System32\cmd.exe" /c ipconfig /release
cmdline	cmd /c ipconfig /renew
cmdline	cmd /c ipconfig /release
cmdline	"C:\Windows\System32\cmd.exe" /c ipconfig /renew

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 77d61f0c95c5f7cd4378ca528c4d13ce283af5c4

Communicates with host for which no DNS query was performed (1 event)

host

78.111.67.189

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 2796 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000370	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 18, 2024, 7:34 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

IMG_812_06108.exe tried to sleep 2728253 seconds, actually delayed analysis time by 2728253 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Viilefvhdo

reg_value

C:\Users\test22\AppData\Roaming\Viilefvhdo.exe

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL5Äefà ¿ À@ @È¾SÀFà H.text$ `.rsrcFÀ¢@@.relocà¨@B base_address: 0x00400000 process_identifier: 2796 process_handle: 0x00000370	1	1
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName511ab0a2-c801-4812-ab58-777b01835cc7.exe(LegalCopyright \|)OriginalFilename511ab0a2-c801-4812-ab58-777b01835cc7.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043c000 process_identifier: 2796 process_handle: 0x00000370	1	1
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: ° ? base_address: 0x0043e000 process_identifier: 2796 process_handle: 0x00000370	1	1
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2796 process_handle: 0x00000370	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL5Äefà ¿ À@ @È¾SÀFà H.text$ `.rsrcFÀ¢@@.relocà¨@B base_address: 0x00400000 process_identifier: 2796 process_handle: 0x00000370	1	1	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 800 called NtSetContextThread to modify thread in remote process 2796
NtSetContextThread June 18, 2024, 7:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4439838 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000430 process_identifier: 2796	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 800 resumed a thread in remote process 2796
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000430 suspend_count: 1 process_identifier: 2796	1	0	0

Collects information on the system (ipconfig, netstat, systeminfo) (2 events)

cmdline	cmd /c ipconfig /renew
cmdline	cmd /c ipconfig /release

Executed a process and injected code into it, probably while unpacking (37 events)

Time & API	Arguments	Status	Return
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x00000380 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:34 a.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000430 suspend_count: 1 process_identifier: 800	1	0
NtGetContextThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000418	1	0
NtGetContextThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000418	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 800	1	0
CreateProcessInternalW June 18, 2024, 7:35 a.m.	thread_identifier: 2556 thread_handle: 0x0000057c process_identifier: 2552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c ipconfig /release filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000584	1	1
CreateProcessInternalW June 18, 2024, 7:35 a.m.	thread_identifier: 2800 thread_handle: 0x00000430 process_identifier: 2796 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\IMG_812_06108.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\IMG_812_06108.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000370	1	1
NtGetContextThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000430	1	0
NtAllocateVirtualMemory June 18, 2024, 7:35 a.m.	process_identifier: 2796 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000370	1	0
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL5Äefà ¿ À@ @È¾SÀFà H.text$ `.rsrcFÀ¢@@.relocà¨@B base_address: 0x00400000 process_identifier: 2796 process_handle: 0x00000370	1	1
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: base_address: 0x00402000 process_identifier: 2796 process_handle: 0x00000370	1	1
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName511ab0a2-c801-4812-ab58-777b01835cc7.exe(LegalCopyright \|)OriginalFilename511ab0a2-c801-4812-ab58-777b01835cc7.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043c000 process_identifier: 2796 process_handle: 0x00000370	1	1
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: ° ? base_address: 0x0043e000 process_identifier: 2796 process_handle: 0x00000370	1	1
WriteProcessMemory June 18, 2024, 7:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2796 process_handle: 0x00000370	1	1
NtSetContextThread June 18, 2024, 7:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4439838 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000430 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000430 suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 800	1	0
CreateProcessInternalW June 18, 2024, 7:35 a.m.	thread_identifier: 2872 thread_handle: 0x0000055c process_identifier: 2868 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c ipconfig /renew filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000530	1	1
CreateProcessInternalW June 18, 2024, 7:35 a.m.	thread_identifier: 2616 thread_handle: 0x00000084 process_identifier: 2612 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\ipconfig.exe track: 1 command_line: ipconfig /release filepath_r: C:\Windows\system32\ipconfig.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2796	1	0
NtResumeThread June 18, 2024, 7:35 a.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 2796	1	0
CreateProcessInternalW June 18, 2024, 7:35 a.m.	thread_identifier: 2952 thread_handle: 0x00000084 process_identifier: 2948 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\ipconfig.exe track: 1 command_line: ipconfig /renew filepath_r: C:\Windows\system32\ipconfig.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

IMG_812_06108.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All