Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 19, 2021, 8:19 a.m.	March 19, 2021, 8:26 a.m.

Size	869.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d4b31689b01301f90ce578d418a74231`
SHA256	`4c83b9a705090f3edd4f8f1322ec609b7a04d59d03b390681c3708c61341eb1a`
CRC32	`E55E00B6`
ssdeep	`24576:lZPkSFqd8QVpOV0XkStbjFzcbVnGk3O9PyhoBfgTk:lZMSwd7pOSUN5Gk+hEoBfgT`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult

ndena.exe "C:\Users\test22\AppData\Local\Temp\ndena.exe"
3324

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 19, 2021, 8:19 a.m.			0	0
IsDebuggerPresent March 19, 2021, 8:19 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 19, 2021, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00853210 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 19, 2021, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008532d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 19, 2021, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008532d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 19, 2021, 8:19 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (35 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:19 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 3324 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b0e00', u'virtual_address': u'0x00002000', u'entropy': 7.860558201707512, u'name': u'.text', u'virtual_size': u'0x000b0d94'}

entropy

7.86055820171

description

A section with a high entropy has been found

entropy

0.814622913069

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 19, 2021, 8:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (10 events)

Time & API	Arguments	Status
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 4012 process_handle: 0x00000268
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 4012 process_handle: 0x00000268	1
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 4788 process_handle: 0x00000274
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 4788 process_handle: 0x00000274	1
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 7012 process_handle: 0x0000027c
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 7012 process_handle: 0x0000027c	1
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 6564 process_handle: 0x00000284
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 6564 process_handle: 0x00000284	1
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 6456 process_handle: 0x0000028c
NtTerminateProcess March 19, 2021, 8:21 a.m.	status_code: 0xffffffff process_identifier: 6456 process_handle: 0x0000028c	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (5 events)

Time & API	Arguments	Return
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 4012 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	3221225496
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 4788 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	3221225496
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 7012 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	3221225496
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 6564 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	3221225496
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 6456 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280	3221225496

Manipulates memory of a non-child process indicative of process injection (10 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 3324 manipulating memory of non-child process 4012
Process injection	Process 3324 manipulating memory of non-child process 4788
Process injection	Process 3324 manipulating memory of non-child process 7012
Process injection	Process 3324 manipulating memory of non-child process 6564
Process injection	Process 3324 manipulating memory of non-child process 6456
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 4012 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	3221225496	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 4788 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c	3221225496	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 7012 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270	3221225496	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 6564 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	3221225496	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 6456 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280	3221225496	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Symantec	Scr.Malcode!gdn30
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
FireEye	Generic.mg.d4b31689b01301f9
Sophos	ML/PE-A
eGambit	Unsafe.AI_Score_98%
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZemsilF.34628.2m0@ay64jjj
ESET-NOD32	a variant of MSIL/Kryptik.AAAV
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AABO!tr
Cybereason	malicious.a2dc64
Qihoo-360	HEUR/QVM03.0.FC85.Malware.Gen

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread March 19, 2021, 8:19 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3324	1	0
NtResumeThread March 19, 2021, 8:19 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 3324	1	0
NtResumeThread March 19, 2021, 8:19 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 3324	1	0
NtResumeThread March 19, 2021, 8:21 a.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 3324	1	0
CreateProcessInternalW March 19, 2021, 8:21 a.m.	thread_identifier: 6380 thread_handle: 0x00000254 process_identifier: 4012 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ndena.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ndena.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000258	1	1
NtGetContextThread March 19, 2021, 8:21 a.m.	thread_handle: 0x00000254	1	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 4012 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258		3221225496
CreateProcessInternalW March 19, 2021, 8:21 a.m.	thread_identifier: 3176 thread_handle: 0x00000268 process_identifier: 4788 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ndena.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ndena.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000026c	1	1
NtGetContextThread March 19, 2021, 8:21 a.m.	thread_handle: 0x00000268	1	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 4788 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000026c		3221225496
CreateProcessInternalW March 19, 2021, 8:21 a.m.	thread_identifier: 3684 thread_handle: 0x00000274 process_identifier: 7012 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ndena.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ndena.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000270	1	1
NtGetContextThread March 19, 2021, 8:21 a.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 7012 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000270		3221225496
CreateProcessInternalW March 19, 2021, 8:21 a.m.	thread_identifier: 6076 thread_handle: 0x0000027c process_identifier: 6564 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ndena.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ndena.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1
NtGetContextThread March 19, 2021, 8:21 a.m.	thread_handle: 0x0000027c	1	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 6564 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278		3221225496
CreateProcessInternalW March 19, 2021, 8:21 a.m.	thread_identifier: 9112 thread_handle: 0x00000284 process_identifier: 6456 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ndena.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ndena.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000280	1	1
NtGetContextThread March 19, 2021, 8:21 a.m.	thread_handle: 0x00000284	1	0
NtAllocateVirtualMemory March 19, 2021, 8:21 a.m.	process_identifier: 6456 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000280		3221225496

ndena.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All