Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 28, 2024, 10:31 a.m.	July 28, 2024, 10:36 a.m.

Size	615.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`88696cf17417a2339b63f9452404c839`
SHA256	`a5f629e62e8012c0ead81b462bc05ec9d20395af3121f87961f9d2dfde908895`
CRC32	`474C717F`
ssdeep	`12288:WcrNS33L10QdrX2ZVncWqvo2GAhcWMuql8lPtahdkkB183kD:FNA3R5drXwVcWWyLZ8db3kD`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Display1.exe "C:\Users\test22\AppData\Local\Temp\Display1.exe"
2552
- cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\eystsdf.cmd" "
  2748
  - efthfxj.sfx.exe efthfxj.sfx.exe -pgtrfdewscbsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\test22\AppData\Roaming
    2816
    - efthfxj.exe "C:\Users\test22\AppData\Roaming\efthfxj.exe"
      3044
      - efthfxj.exe C:\Users\test22\AppData\Roaming\efthfxj.exe
        192
      - efthfxj.exe C:\Users\test22\AppData\Roaming\efthfxj.exe
        2256
      - efthfxj.exe C:\Users\test22\AppData\Roaming\efthfxj.exe
        2416

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 28, 2024, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 28, 2024, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 28, 2024, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:31 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (14 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:31 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 28, 2024, 10:31 a.m.	buffer: The input line is too long. console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 28, 2024, 10:31 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 28, 2024, 10:31 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x723e1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x722b2ba1 mscorlib+0x2f45b0 @ 0x715645b0 mscorlib+0x2f73b5 @ 0x715673b5 mscorlib+0x2eeb10 @ 0x7155eb10 mscorlib+0x2ec3f4 @ 0x7155c3f4 mscorlib+0x2d8327 @ 0x71548327 mscorlib+0x2d9be9 @ 0x71549be9 mscorlib+0x2d9220 @ 0x71549220 mscorlib+0x2d902d @ 0x7154902d 0xfec90b 0xfebfa7 0xfebcbf DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72232652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7224264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x722b1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x722b1737 mscorlib+0x2d3711 @ 0x71543711 mscorlib+0x308f2d @ 0x71578f2d mscorlib+0x2cb060 @ 0x7153b060 0xfe1272 0xccac11 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72232652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7224264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72242e95 CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x723ca887 DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x722f7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72381dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72381e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72381f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7238416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x741af5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x728d7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x728d4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1895256 registers.edi: 0 registers.eax: 1895256 registers.ebp: 1895336 registers.edx: 3 registers.ebx: 4276000 registers.esi: 4100584 registers.ecx: 3389010894	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 28, 2024, 10:31 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x723e1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x722b2ba1
mscorlib+0x2f45b0 @ 0x715645b0
mscorlib+0x2f73b5 @ 0x715673b5
mscorlib+0x2eeb10 @ 0x7155eb10
mscorlib+0x2ec3f4 @ 0x7155c3f4
mscorlib+0x2d8327 @ 0x71548327
mscorlib+0x2d9be9 @ 0x71549be9
mscorlib+0x2d9220 @ 0x71549220
mscorlib+0x2d902d @ 0x7154902d
0xfec90b
0xfebfa7
0xfebcbf
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72232652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7224264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x722b1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x722b1737
mscorlib+0x2d3711 @ 0x71543711
mscorlib+0x308f2d @ 0x71578f2d
mscorlib+0x2cb060 @ 0x7153b060
0xfe1272
0xccac11
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72232652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7224264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72242e95
CopyPDBs+0x4c45 DllCanUnloadNowInternal-0x3c392 clr+0x19a887 @ 0x723ca887
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x722f7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72381dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72381e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72381f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7238416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x741af5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x728d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x728d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 1895256
registers.edi: 0
registers.eax: 1895256
registers.ebp: 1895336
registers.edx: 3
registers.ebx: 4276000
registers.esi: 4100584
registers.ecx: 3389010894

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 150 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72232000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01082000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01080000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01080000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01080000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01080000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01080000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x010b6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ccb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ccc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ccd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ccf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\eystsdf.cmd
file	C:\Users\test22\AppData\Roaming\efthfxj.exe
file	C:\Users\test22\AppData\Roaming\efthfxj.sfx.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\eystsdf.cmd
file	C:\Users\test22\AppData\Roaming\efthfxj.sfx.exe
file	C:\Users\test22\AppData\Roaming\efthfxj.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\efthfxj.exe
file	C:\Users\test22\AppData\Roaming\efthfxj.sfx.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 28, 2024, 10:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (35 events)

description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 1728 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0		3221225496
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 192 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002f8	1	0
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 2256 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 2416 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000338	1	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 3044 manipulating memory of non-child process 1728
NtUnmapViewOfSection July 28, 2024, 10:31 a.m.	base_address: 0x00400000 region_size: 446464 process_identifier: 1728 process_handle: 0x000002d0	3221225497	0
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 1728 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	3221225496	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3044 called NtSetContextThread to modify thread in remote process 1728
Process injection	Process 3044 called NtSetContextThread to modify thread in remote process 192
Process injection	Process 3044 called NtSetContextThread to modify thread in remote process 2256
Process injection	Process 3044 called NtSetContextThread to modify thread in remote process 2416
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246526 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c8 process_identifier: 1728	1	0	0
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246526 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002f4 process_identifier: 192	1	0	0
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246526 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000314 process_identifier: 2256	1	0	0
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246526 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000334 process_identifier: 2416	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3044 resumed a thread in remote process 1728
Process injection	Process 3044 resumed a thread in remote process 192
Process injection	Process 3044 resumed a thread in remote process 2256
Process injection	Process 3044 resumed a thread in remote process 2416
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 1728	1	0	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 192	1	0	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2256	1	0	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2416	1	0	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Uztuby.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	Artemis!88696CF17417
ALYac	Trojan.Uztuby.37
Cylance	Unsafe
VIPRE	Trojan.Uztuby.37
Sangfor	Trojan.Win32.Agent.Vedx
BitDefender	Trojan.Uztuby.37
Cybereason	malicious.17417a
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Injuke
MicroWorld-eScan	Trojan.Uztuby.37
Emsisoft	Trojan.Uztuby.37 (B)
McAfeeD	ti!A5F629E62E80
FireEye	Generic.mg.88696cf17417a233
Sophos	Generic ML PUA (PUA)
Kingsoft	Win32.Troj.Unknown.a
ZoneAlarm	UDS:Trojan.Win32.Injuke
GData	Trojan.Uztuby.37
Varist	W32/Runner.L.gen!Eldorado
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
huorong	Trojan/BAT.Starter.am
Fortinet	BAT/Runner.EMTH!tr
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)

Executed a process and injected code into it, probably while unpacking (50 out of 57 events)

Time & API	Arguments	Status	Return
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2552	1	0
CreateProcessInternalW July 28, 2024, 10:31 a.m.	thread_identifier: 2752 thread_handle: 0x000002d8 process_identifier: 2748 current_directory: C:\Users\test22\AppData\Roaming filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\eystsdf.cmd" filepath_r: stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002cc	1	1
CreateProcessInternalW July 28, 2024, 10:31 a.m.	thread_identifier: 2820 thread_handle: 0x00000084 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Roaming filepath: C:\Users\test22\AppData\Roaming\efthfxj.sfx.exe track: 1 command_line: efthfxj.sfx.exe -pgtrfdewscbsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\test22\AppData\Roaming filepath_r: C:\Users\test22\AppData\Roaming\efthfxj.sfx.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2816	1	0
CreateProcessInternalW July 28, 2024, 10:31 a.m.	thread_identifier: 3048 thread_handle: 0x000002e8 process_identifier: 3044 current_directory: C:\Users\test22\AppData\Roaming filepath: C:\Users\test22\AppData\Roaming\efthfxj.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\efthfxj.exe" filepath_r: C:\Users\test22\AppData\Roaming\efthfxj.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f0	1	1
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 3044	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 3044	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 3044	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4	1	0
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 1915431812 registers.esp: 1895464 registers.edi: 30592 registers.eax: 3080293 registers.ebp: 1895468 registers.edx: 38630416 registers.ebx: 38630384 registers.esi: 112 registers.ecx: 64417784 thread_handle: 0x000000e4 process_identifier: 3044	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 3044	1	0
CreateProcessInternalW July 28, 2024, 10:31 a.m.	thread_identifier: 2120 thread_handle: 0x000002c8 process_identifier: 1728 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\efthfxj.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtUnmapViewOfSection July 28, 2024, 10:31 a.m.	base_address: 0x00400000 region_size: 446464 process_identifier: 1728 process_handle: 0x000002d0		3221225497
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 1728 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0		3221225496
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000002c8	1	0
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246526 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c8 process_identifier: 1728	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 1728	1	0
CreateProcessInternalW July 28, 2024, 10:31 a.m.	thread_identifier: 152 thread_handle: 0x000002f4 process_identifier: 192 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\efthfxj.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002f8	1	1
NtUnmapViewOfSection July 28, 2024, 10:31 a.m.	base_address: 0x00400000 region_size: 13107200 process_identifier: 192 process_handle: 0x000002f8		3221225497
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 192 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002f8	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000002f4	1	0
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246526 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002f4 process_identifier: 192	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 192	1	0
CreateProcessInternalW July 28, 2024, 10:31 a.m.	thread_identifier: 320 thread_handle: 0x00000314 process_identifier: 2256 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\efthfxj.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000318	1	1
NtUnmapViewOfSection July 28, 2024, 10:31 a.m.	base_address: 0x00400000 region_size: 13107200 process_identifier: 2256 process_handle: 0x00000318		3221225497
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 2256 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000314	1	0
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246526 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000314 process_identifier: 2256	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2256	1	0
CreateProcessInternalW July 28, 2024, 10:31 a.m.	thread_identifier: 2420 thread_handle: 0x00000334 process_identifier: 2416 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\efthfxj.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000338	1	1
NtUnmapViewOfSection July 28, 2024, 10:31 a.m.	base_address: 0x00400000 region_size: 13107200 process_identifier: 2416 process_handle: 0x00000338		3221225497
NtAllocateVirtualMemory July 28, 2024, 10:31 a.m.	process_identifier: 2416 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000338	1	0
NtGetContextThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000334	1	0
NtSetContextThread July 28, 2024, 10:31 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4246526 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000334 process_identifier: 2416	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2416	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 192	1	0
NtResumeThread July 28, 2024, 10:31 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 192	1	0

Display1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All