Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 5, 2021, 2:37 p.m.	April 5, 2021, 2:40 p.m.

Size	10.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`af23b8181c08a65a2aacd3568a1dd46e`
SHA256	`3d66c69a76e392f4abb355dc1acac9a69597e158d271ae209f05a3b75f9ce7d7`
CRC32	`D932022A`
ssdeep	`192:YY0ZL9PzxD0+JveaffkHj4wj9xVh42mH2:YY0Z/HveaHkHjDjbxmH`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description)

updatechannel2.exe "C:\Users\test22\AppData\Local\Temp\updatechannel2.exe"
8072
- eammf30lGlNkfSZ4t4chClgx.exe "C:\Users\test22\Documents\eammf30lGlNkfSZ4t4chClgx.exe"
  6096
  - I7LuCNz5rLHcWJTOu0NR5dLf.exe "C:\Users\test22\AppData\Roaming\I7LuCNz5rLHcWJTOu0NR5dLf.exe"
    4404

Name	Response	Post-Analysis Lookup
gwenetha.info	A 172.67.131.232 A 104.21.12.27	172.67.131.232
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.99.190
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.133.233
iplogger.org	A 88.99.66.31	88.99.66.31
whatitis.website

IP Address	Status	Action
104.21.12.27	Active	Moloch
104.23.99.190	Active	Moloch
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
203.159.80.228	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 5, 2021, 2:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 2:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 2:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 2:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 2:37 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 5, 2021, 2:37 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 5, 2021, 2:37 p.m.			0	0
IsDebuggerPresent April 5, 2021, 2:37 p.m.			0	0
IsDebuggerPresent April 5, 2021, 2:30 p.m.			0	0
IsDebuggerPresent April 5, 2021, 2:30 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 5, 2021, 2:37 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://203.159.80.228/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1h7Tq7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/2CQAB5.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826198252025675816/826537386485612574/china.png
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1iPtu7
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/gCyjHCCH
suspicious_features	GET method with no useragent header	suspicious_request	GET https://gwenetha.info/setup-KGQJ-1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826198252025675816/826538114838298715/install_setupVPSfree.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826531006563352596/Bussed_2021-03-30_21-01.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826469949593485312/file.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/2LehR6.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826855866228670474/7525b875715555.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826540039764705360/7525b875713675d4ff0018cf084f493a4e4977de_2021-03-30_22-25.exe

Performs some HTTP requests (14 events)

request	GET http://203.159.80.228/
request	GET https://iplogger.org/1h7Tq7
request	GET https://iplogger.org/2CQAB5.exe
request	GET https://cdn.discordapp.com/attachments/826198252025675816/826537386485612574/china.png
request	GET https://cdn.discordapp.com/attachments/822543417757270050/826145904716152872/PlayerUI.exe
request	GET https://iplogger.org/1iPtu7
request	GET https://pastebin.com/raw/gCyjHCCH
request	GET https://gwenetha.info/setup-KGQJ-1.exe
request	GET https://cdn.discordapp.com/attachments/826198252025675816/826538114838298715/install_setupVPSfree.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826531006563352596/Bussed_2021-03-30_21-01.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826469949593485312/file.exe
request	GET https://iplogger.org/2LehR6.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826855866228670474/7525b875715555.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826540039764705360/7525b875713675d4ff0018cf084f493a4e4977de_2021-03-30_22-25.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 87 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:37 p.m.	process_identifier: 8072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000680000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0ecb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 region_size: 2424832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000c80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 5, 2021, 2:30 p.m.	process_identifier: 6096 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Roaming\I7LuCNz5rLHcWJTOu0NR5dLf.exe
file	C:\Users\test22\AppData\Roaming\pql96hcvHyxiJAMAiV7iQtWD.exe
file	C:\Users\test22\AppData\Roaming\kSzRVcsP6usiqGBc7LEgiyKA.exe
file	C:\Users\test22\Documents\eammf30lGlNkfSZ4t4chClgx.exe

Drops a binary and executes it (4 events)

file	C:\Users\test22\Documents\eammf30lGlNkfSZ4t4chClgx.exe
file	C:\Users\test22\AppData\Roaming\pql96hcvHyxiJAMAiV7iQtWD.exe
file	C:\Users\test22\AppData\Roaming\kSzRVcsP6usiqGBc7LEgiyKA.exe
file	C:\Users\test22\AppData\Roaming\I7LuCNz5rLHcWJTOu0NR5dLf.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\I7LuCNz5rLHcWJTOu0NR5dLf.exe

Executes one or more WMI queries (1 event)

wmi	SELECT Caption FROM Win32_OperatingSystem

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 5, 2021, 2:37 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	203.159.80.228

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GSW7HUuobgHXDmIx37Ppvs3uKQOiPRi2	reg_value	C:\Users\test22\Documents\eammf30lGlNkfSZ4t4chClgx.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AyDt2yS0ceKLYdWNjG2SteYqB1E1v27G	reg_value	C:\Users\test22\AppData\Roaming\pql96hcvHyxiJAMAiV7iQtWD.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\aWsAtaEjhEDaRlKVR7lhX6U2hzH5ppKp	reg_value	C:\Users\test22\AppData\Roaming\kSzRVcsP6usiqGBc7LEgiyKA.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wpTqfyMQHh4SG37Ip1981nIeB0c3SJ41	reg_value	C:\Users\test22\AppData\Roaming\I7LuCNz5rLHcWJTOu0NR5dLf.exe

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.417326
FireEye	Generic.mg.af23b8181c08a65a
ALYac	Gen:Variant.Bulz.417326
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanDownloader:MSIL/TrojanX.9679b97e
Cybereason	malicious.7dd00e
Arcabit	Trojan.Bulz.D65E2E
BitDefenderTheta	Gen:NN.ZemsilF.34670.am0@aqpWn!j
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.CLN
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.MSIL.Bund.gen
BitDefender	Gen:Variant.Bulz.417326
Ad-Aware	Gen:Variant.Bulz.417326
Emsisoft	Gen:Variant.Bulz.417326 (B)
McAfee-GW-Edition	Artemis!Trojan
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Avira	TR/Dldr.Small.hwuyy
MAX	malware (ai score=86)
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Bulz.417326
Cynet	Malicious (score: 85)
McAfee	Artemis!AF23B8181C08
Rising	Trojan.IPLogger!1.B69D (CLOUD)
AVG	Win32:TrojanX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	HEUR/QVM03.0.5D3F.Malware.Gen

updatechannel2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All