Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 5, 2021, 1:20 p.m.	April 5, 2021, 1:23 p.m.

Size	13.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8e9df5d267e02aee6e6e2427fa2e2454`
SHA256	`937d2620a998f635ee40359f9a401a6c1c3c22600a6e78c8f8a760ea67d16553`
CRC32	`56321617`
ssdeep	`96:w00PmiS3JyINH5CTAGcov+GkWrMGk8/KGkKDYG96sJJfJHMqr7RvLrnboD3zaffJ:crS6JzLPeaffkHj4wj9bVxYbmH2`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description)

updatechannel4.exe "C:\Users\test22\AppData\Local\Temp\updatechannel4.exe"
2616
- xLSUYqRUzzhAU5weLqgJRcbb.exe "C:\Users\test22\Documents\xLSUYqRUzzhAU5weLqgJRcbb.exe"
  3800
  - iQhfnfy2P6K2x3h3ZLrBWgjj.exe "C:\Users\test22\AppData\Roaming\iQhfnfy2P6K2x3h3ZLrBWgjj.exe"
    4376

Name	Response	Post-Analysis Lookup
edgedl.gvt1.com	A 142.250.34.2	142.250.34.2
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.99.190
iplogger.org	A 88.99.66.31	88.99.66.31
whatitis.website
gwenetha.info	A 172.67.131.232 A 104.21.12.27	104.21.12.27
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.130.233

IP Address	Status	Action
104.23.98.190	Active	Moloch
142.250.34.2	Active	Moloch
142.250.66.131	Active	Moloch
162.159.130.233	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.131.232	Active	Moloch
203.159.80.228	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 5, 2021, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 1:21 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 1:21 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 5, 2021, 1:20 p.m.			0	0
IsDebuggerPresent April 5, 2021, 1:20 p.m.			0	0
IsDebuggerPresent April 5, 2021, 1:21 p.m.			0	0
IsDebuggerPresent April 5, 2021, 1:21 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 5, 2021, 1:20 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (15 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://203.159.80.228/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1xPHh7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/2CQAB5.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826198252025675816/826537386485612574/china.png
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=71b51d9ea15a088b2af84ffd33921119eb65dcd4b9b4898e9e4276f19445345c
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1iPtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/gCyjHCCH
suspicious_features	GET method with no useragent header	suspicious_request	GET https://gwenetha.info/setup-KGQJ-1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826198252025675816/826538114838298715/install_setupVPSfree.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826531006563352596/Bussed_2021-03-30_21-01.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826855866228670474/7525b875715555.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/2LehR6.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826540039764705360/7525b875713675d4ff0018cf084f493a4e4977de_2021-03-30_22-25.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826469949593485312/file.exe
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2

Performs some HTTP requests (18 events)

request	GET http://203.159.80.228/
request	HEAD http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
request	GET http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
request	GET https://iplogger.org/1xPHh7
request	GET https://iplogger.org/2CQAB5.exe
request	GET https://cdn.discordapp.com/attachments/826198252025675816/826537386485612574/china.png
request	GET https://cdn.discordapp.com/attachments/822543417757270050/826145904716152872/PlayerUI.exe
request	POST https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=71b51d9ea15a088b2af84ffd33921119eb65dcd4b9b4898e9e4276f19445345c
request	GET https://iplogger.org/1iPtu7
request	GET https://pastebin.com/raw/gCyjHCCH
request	GET https://gwenetha.info/setup-KGQJ-1.exe
request	GET https://cdn.discordapp.com/attachments/826198252025675816/826538114838298715/install_setupVPSfree.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826531006563352596/Bussed_2021-03-30_21-01.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826855866228670474/7525b875715555.exe
request	GET https://iplogger.org/2LehR6.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826540039764705360/7525b875713675d4ff0018cf084f493a4e4977de_2021-03-30_22-25.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826469949593485312/file.exe
request	POST https://update.googleapis.com/service/update2

Sends data using the HTTP POST Method (2 events)

request	POST https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=71b51d9ea15a088b2af84ffd33921119eb65dcd4b9b4898e9e4276f19445345c
request	POST https://update.googleapis.com/service/update2

Allocates read-write-execute memory (usually to unpack itself) (50 out of 87 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00325000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00327000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0030c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00316000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00317000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:20 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0030a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0ecb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000021f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 5, 2021, 1:21 p.m.	process_identifier: 3800 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Roaming\KgMaPqZhMrYe0IIyfpFVhMI6.exe
file	C:\Users\test22\AppData\Roaming\iQhfnfy2P6K2x3h3ZLrBWgjj.exe
file	C:\Users\test22\Documents\xLSUYqRUzzhAU5weLqgJRcbb.exe
file	C:\Users\test22\AppData\Roaming\WskrpAnfgK5eK1k0jNnEzzf3.exe

Drops a binary and executes it (4 events)

file	C:\Users\test22\Documents\xLSUYqRUzzhAU5weLqgJRcbb.exe
file	C:\Users\test22\AppData\Roaming\KgMaPqZhMrYe0IIyfpFVhMI6.exe
file	C:\Users\test22\AppData\Roaming\WskrpAnfgK5eK1k0jNnEzzf3.exe
file	C:\Users\test22\AppData\Roaming\iQhfnfy2P6K2x3h3ZLrBWgjj.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\iQhfnfy2P6K2x3h3ZLrBWgjj.exe

Executes one or more WMI queries (1 event)

wmi	SELECT Caption FROM Win32_OperatingSystem

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 5, 2021, 1:20 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (3 events)

host	142.250.66.131
host	172.217.25.14
host	203.159.80.228

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\4RRLObzFcRxzBwTsEWMOUWEdGlS47E7U	reg_value	C:\Users\test22\Documents\xLSUYqRUzzhAU5weLqgJRcbb.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NffLJJWruMWgIt6QimSRFokUnDFa2BlA	reg_value	C:\Users\test22\AppData\Roaming\KgMaPqZhMrYe0IIyfpFVhMI6.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5KhFE6ztkW82MbnCyaCJdshtgMArTjnB	reg_value	C:\Users\test22\AppData\Roaming\iQhfnfy2P6K2x3h3ZLrBWgjj.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\q7kc7syTHbRb5oq8ipN6eaFMnyj25HZA	reg_value	C:\Users\test22\AppData\Roaming\WskrpAnfgK5eK1k0jNnEzzf3.exe

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

MicroWorld-eScan	Trojan.GenericKD.36625148
ALYac	Trojan.GenericKD.36625148
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.fe65fd
Arcabit	Trojan.Generic.D22EDAFC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.CLN
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.MSIL.Bund.gen
BitDefender	Trojan.GenericKD.36625148
Ad-Aware	Trojan.GenericKD.36625148
Emsisoft	Trojan.GenericKD.36625148 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.8e9df5d267e02aee
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Microsoft	Backdoor:Win32/Bladabindi!ml
GData	Win32.Trojan.Ilgergop.RU396K
McAfee	Artemis!8E9DF5D267E0
MAX	malware (ai score=86)
Malwarebytes	Trojan.Downloader
Rising	Trojan.IPLogger!1.B69D (CLOUD)
Ikarus	Trojan-Downloader.MSIL.Small
Fortinet	MSIL/Small.CLN!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilF.34670.am0@aKH6mro
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Heur.Generic.HwMATkIA

updatechannel4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All