Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 1, 2021, 9:27 a.m.	May 1, 2021, 9:38 a.m.

Size	587.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`eb6c0ff23c01dd3528789c8142890547`
SHA256	`fe69416ea50c8316791d7de7da893f9189c3d5f34cb9c64026206d19325ef5c5`
CRC32	`88139412`
ssdeep	`12288:ihcZoLLoS60/K7yh0eN8B8J7+NiOgc/TWu/OsC8Q7BWQ6P7FU:ihcZoLAtB8RKhf/TWu/OsC8Qh6`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description)

azflkjgfkldsad.exe "C:\Users\test22\AppData\Local\Temp\azflkjgfkldsad.exe"
900
- ozflkjgfkldsad.exe "C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe"
  8724
  - ozflkjgfkldsad.exe "{path}"
    6912
- azflkjgfkldsad.exe "{path}"
  6200

Name	Response	Post-Analysis Lookup
malcacnba.ac.ug	A 185.215.113.77	185.215.113.77
macakslcaq.ug	A 185.215.113.77	185.215.113.77

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.215.113.77	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.77:80 -> 192.168.56.102:49815	2400023	ET DROP Spamhaus DROP Listed Traffic Inbound group 24	Misc Attack
TCP 192.168.56.102:49808 -> 185.215.113.77:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 185.215.113.77:80 -> 192.168.56.102:49808	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.102:49808	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49808	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.77:80 -> 192.168.56.102:49815	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.77:80 -> 192.168.56.102:49816	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 1, 2021, 9:28 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 1, 2021, 9:28 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 1, 2021, 9:27 a.m.			0	0
IsDebuggerPresent May 1, 2021, 9:27 a.m.			0	0
IsDebuggerPresent May 1, 2021, 9:28 a.m.			0	0
IsDebuggerPresent May 1, 2021, 9:28 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 1, 2021, 9:27 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.77/ozflkjgfkldsad.exe
suspicious_features	POST method with no referer header	suspicious_request	POST http://macakslcaq.ug/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://malcacnba.ac.ug/softokn3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://malcacnba.ac.ug/sqlite3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://malcacnba.ac.ug/freebl3.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://malcacnba.ac.ug/mozglue.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://malcacnba.ac.ug/msvcp140.dll
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://malcacnba.ac.ug/nss3.dll

Performs some HTTP requests (8 events)

request	GET http://185.215.113.77/ozflkjgfkldsad.exe
request	POST http://macakslcaq.ug/index.php
request	POST http://malcacnba.ac.ug/softokn3.dll
request	POST http://malcacnba.ac.ug/sqlite3.dll
request	POST http://malcacnba.ac.ug/freebl3.dll
request	POST http://malcacnba.ac.ug/mozglue.dll
request	POST http://malcacnba.ac.ug/msvcp140.dll
request	POST http://malcacnba.ac.ug/nss3.dll

Sends data using the HTTP POST Method (7 events)

request	POST http://macakslcaq.ug/index.php
request	POST http://malcacnba.ac.ug/softokn3.dll
request	POST http://malcacnba.ac.ug/sqlite3.dll
request	POST http://malcacnba.ac.ug/freebl3.dll
request	POST http://malcacnba.ac.ug/mozglue.dll
request	POST http://malcacnba.ac.ug/msvcp140.dll
request	POST http://malcacnba.ac.ug/nss3.dll

Allocates read-write-execute memory (usually to unpack itself) (50 out of 61 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00731000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00734000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00736000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00738000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0073a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:27 a.m.	process_identifier: 900 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 900 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0073b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f502000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 8724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 1, 2021, 9:27 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process ozflkjgfkldsad.exe (6 events)

Time & API	Arguments	Status	Return
InternetReadFile May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¢l$æ JOæ JOæ JOïuÙOê JO?oKNä JO?oINä JO?oONì JO?oNNí JOÄmKNä JO-nKNå JOæ KO~ JO-nNNò JO-nJNç JO-nµOç JO-nHNç JORichæ JOPEL¿bë[à"!¶b¼ÐP ±@¨¸È0xÐ@`ÐþT(ÿ@Ðl.textË´¶ `.rdata DÐFº@@.data @À.rsrcx0@@.reloc`@@B request_handle: 0x00cc000c	1	1
InternetReadFile May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELê=Sv?à!ÐàXà` 8Ã °ÐL ü'ð¬Ñp.textÀÎÐ`0`.data°àÖ@@À.rdata$ð®æ@@@.bss @À.edata°@0@.idataL Ð®@0À.CRTàº@0À.tls ð¼@0À.relocü'(¾@0B/4`0æ@@B/19È@è@B/35MPì@B/51`C`Dô@B/63 °8@B/77ÀF@B/89ÐR request_handle: 0x00cc000c	1	1
InternetReadFile May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Àð/AVAVAVéÒVAV]ó@WAV1VAV]óBWAV]óDWAV]óEWAV¦ñ@WAVOò@WAV@VÖAVOòBWAVOòEWÀAVOòAWAVOò¾VAVOòCWAVRichAVPELØbë[à"!Øf)Ýðp£s@pæPÀæÈ@xüÐPà0âTâ@ð8.texttÖØ `.rdataüþðÜ@@.data,HðÜ@À.rsrcx@à@@.relocàPä@B request_handle: 0x00cc000c	1	1
InternetReadFile May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÂU±É£;âÉ£;âÉ£;âÀÛ¨âÙ£;âWüâË£;âÁ8ãÇ£;âÁ?ãÂ£;âÁ:ãÍ£;âÁ>ãÛ£;âëÃ:ãÀ£;âÉ£:âw£;âÀ?ãÈ£;âÀ>ãÝ£;âÀ;ãÈ£;âÀÄâÈ£;âÀ9ãÈ£;âRichÉ£;âPELÄ_ë[à"!zà@3@A@Àt´Þ, xúÐ0h¹TT¹h¸@ôl¾.textÊxz `.rdata^ef~@@.data¼ä@À.didat8æ@À.rsrcx è@@.reloch0ì@B request_handle: 0x00cc000c	1	1
InternetReadFile May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¦È¼Aâ©Òâ©Òâ©ÒV5=à©ÒëÑAú©Ò;ËÓá©Òâ©Ó"©Ò;ËÑë©Ò;ËÖî©Ò;Ë×ô©Ò;ËÚ©Ò;ËÒã©Ò;Ë-ã©Ò;ËÐã©ÒRichâ©ÒPEL8'Yà"!P± Ðaz@AðCÏôR,øx8?4:ðf8È(@Pð@@.textr `.data( @À.idata6P @@.didat4p6@À.rsrcø8@@.reloc4:<<@B request_handle: 0x00cc000c	1	1
InternetReadFile May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $#4gâZßgâZßgâZßnÉßsâZß¾[ÞeâZßùBßcâZß¾YÞjâZß¾_ÞmâZß¾^ÞlâZßE[ÞoâZß¬[ÞdâZßgâ[ßâZß¬^ÞmãZß¬ZÞfâZß¬¥ßfâZß¬XÞfâZßRichgâZßPELbë[à"!êwð@·»@ =T°pæÐÀ}pTÈ@ø.textèê `.rdataRTî@@.datatG`"B@À.rsrcp°d@@.reloc}À~h@B request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00092400', u'virtual_address': u'0x00002000', u'entropy': 6.951456315461889, u'name': u'.text', u'virtual_size': u'0x00092204'}

entropy

6.95145631546

description

A section with a high entropy has been found

entropy

0.996592844974

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://ip-api.com/json
url	https://dotbit.me/a/

Yara rule detected in process memory (24 events)

description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over HTTP	rule	Network_HTTP
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Run a KeyLogger	rule	KeyLogger
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 6200 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004c8	1	0	0
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 6912 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇAmacakslcaq.ug base_address: 0x0041b000 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 6912 process_handle: 0x00000278	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6912 process_handle: 0x00000278	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 6200 process_handle: 0x000004c8	1	1	0
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 6912 process_handle: 0x00000278	1	1	0

Network activity contains more than one unique useragent (2 events)

process	azflkjgfkldsad.exe				useragent	Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
process	ozflkjgfkldsad.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 900 called NtSetContextThread to modify thread in remote process 6200
Process injection	Process 8724 called NtSetContextThread to modify thread in remote process 6912
NtSetContextThread May 1, 2021, 9:28 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000004cc process_identifier: 6200	1	0	0
NtSetContextThread May 1, 2021, 9:28 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 6912	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 900 resumed a thread in remote process 6200
Process injection	Process 8724 resumed a thread in remote process 6912
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 6200	1	0	0
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 6912	1	0	0

Generates some ICMP traffic

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_60% (W)
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/GenKryptik.FESY
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
Paloalto	generic.ml
Sophos	ML/PE-A
DrWeb	Trojan.Inject4.11083
McAfee-GW-Edition	Artemis!Trojan
Microsoft	Trojan:MSIL/AgentTesla.AQD!MTB
AegisLab	Trojan.Multi.Generic.4!c
Cynet	Malicious (score: 100)
McAfee	Artemis!EB6C0FF23C01
Rising	Trojan.AgentTesla!8.104D5 (CLOUD)
Ikarus	Win32.Outbreak
Fortinet	MSIL/GenKryptik.FEQM!tr
AVG	Win32:PWSX-gen [Trj]

Executed a process and injected code into it, probably while unpacking (36 events)

Time & API	Arguments	Status	Return
NtResumeThread May 1, 2021, 9:27 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 900	1	0
NtResumeThread May 1, 2021, 9:27 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 900	1	0
NtResumeThread May 1, 2021, 9:27 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 900	1	0
NtResumeThread May 1, 2021, 9:27 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 900	1	0
NtGetContextThread May 1, 2021, 9:27 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread May 1, 2021, 9:27 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread May 1, 2021, 9:27 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 900	1	0
NtResumeThread May 1, 2021, 9:27 a.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 900	1	0
CreateProcessInternalW May 1, 2021, 9:28 a.m.	thread_identifier: 4024 thread_handle: 0x00000544 process_identifier: 8724 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000538	1	1
CreateProcessInternalW May 1, 2021, 9:28 a.m.	thread_identifier: 3624 thread_handle: 0x000004cc process_identifier: 6200 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\azflkjgfkldsad.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\azflkjgfkldsad.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004c8	1	1
NtGetContextThread May 1, 2021, 9:28 a.m.	thread_handle: 0x000004cc	1	0
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 6200 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004c8	1	0
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à$¦°@@Ðà\CODE° `DATAl°@ÀBSSÅÀ¤À.idataÐ¤@À.reloc\à¬@PÄ@P base_address: 0x00400000 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: base_address: 0x00401000 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: @2À@@@\@ì @l$@ËÌÈÉ×ÏÈÍÎÛØÚÙÊÜÝÞßàáãäå@ErrorÀRuntime error at 00000000À0123456789ABCDEFÿÿÿÿàO@ÀÀ@@J7<äºÏ¿}ªiFîµä[Jú-EÝ]³QçëqØ'ÓØ'ÓØ'ÖØ7nØ$ÓsØ$ÓsØ$nsØ7ÓsØ7ÖsØ$ÓØ7Ø7ÖØ7ÖsØ$ÓØ$nsØ$nsØ7Ø$ÓØ$nsØ$nsØ7ÖsØ$ÓsØÔØ'ØØsØXØ$ÓØ'ÖØqØ'ÖØáveÛe3ôs>v÷E±Yêá)VûAr5d2'òÂØMY pê5ù©ñÌ-þ+~R¶ÖæÐvMºoß3 v§·5vÅÞ¸`6©¤á þáx.¢Wï)b!ò²jíïz´Ì·\|X¸q/Õæ?dEzãîs£3Ãhp>4Æ7èËJ\|úðØèëá¾iAò¡úèÌ3áHþíG\rgã@À¥[\ë¸?áRÃénSÑÒ-´¼;ÐÍñ[MQ¶SEvr]`U¥Ýê(èúmü'~àÖ.ÚÅÂÅÃ3Â%G°j°Uî½S:Ì¦æä[½V¿vz½åÁL}¸<ÿ,9ÞýV_:Â9 ç½WùÙÔÛoSûËÛ`Qé6ñ¡àwËm¥Anm'o-°aÃÐµ1ä¨5[þ'Çè©Ð¦¿q¤ÞÆ +ºê$gÌ7¶G~Ø: ðDºÜÑk½´úÓæ`¸{ÈQÖÎ<Aæ>5²+X2`ÿ0e¢÷¼Aâ@PD%ÌÐÒ:¨»efk®Z¨ÃÌPÒÕcÕéN{»¨¤¦b«?O±óÝ0ZRÔèÌÚÃOË©¤×`TwR\ÀàÄËÃÐÃsS¦@O±j¹}¢ì Jg_ÍYÇò @'¸PÂZ°)zãp>cXgÇ¼\|½\ÏODná)ü7Lôû8a³Ô´:3ªÆôë¥øGgPnº1½·ÕÔ^)õ/2{Û¸<T¾i#©È7ný_Fû^înB!ôëäRÛc-dèmàÇ«>WÆÄNä¨«$há:_p$Öd^}QÏ kï8áeÏÌË%V¿âFNØ\ðøG;æ1Èy¤SÇ,°!#fñÄþ j®Þ Ø\|íälçÇ+ÆÚ EÅÅ$Ü¶Dë Í!kù,ú"dlQ(°ÇMIÎ,p#°)]ÕÙ9i-0àl&®ª!YÑoPÝ+¾9}\±¡©Ù.¿4#D.§×è¼R I±£ç 1ÔTû_v¿tÂmÿóJQ÷Ð\pk+Fæ_h:÷Ù æÄ £8 c+-û2_ö0ýcQò¸dtµ+ûÞ¸¦åð#t êqêR(PY» ïÀ(¢#ÓÏÆÌzÓ ¯N$ÇAÇAôÆApÇA¤ÆAÇA@ÇAhÇAlÆA,ÇA¼ÆAÇA°ÆAÆAÄÆA´°AÇAÇAÇA(ÈA\ÇAüÆA4ÇA\|ÆAÆAìÆA ÇA<ÇA¸°AèÆA¤ÇA°°AÀÆAÇA¸ÆAdÆA°ÇAðÆA ÇA´ÆA(ÇAÈÇAØ°A¼°AÆAÇAÇAÇAÆA ÆA8ÇA¬ÆAPÇA¬ÇAÆALÇAøÆAÌÆADÇA`ÇA¬°A ÈA¨ÇAÇAÇAÈÆAÆAÇAÆA0ÇAhÆAHÇA´ÇAmacakslcaq.ug base_address: 0x0041b000 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: ,ÒÜÐ ÔHÑXÔXÑÔhÑàÔxÑÕÑ8ÕÑºÖðÑ*×Òp× Ò:ÒRÒjÒÒÒ¬Ò¼ÒÈÒÖÒæÒÓÓ$Ó:ÓPÓbÓtÓÓÓ®Ó¼ÓÊÓÖÓòÓþÓÔ,Ô>ÔLÔfÔzÔÔ¦Ô¶ÔÌÔîÔÕ Õ.ÕFÕRÕZÕfÕxÕÕÕ¦Õ¶ÕÆÕØÕìÕÖÖ.ÖBÖPÖ`ÖrÖ~ÖÖÖ®ÖÄÖÔÖäÖðÖ× ×6×B×V×^×z××kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdWideCharToMultiByteMultiByteToWideCharGetThreadLocaleGetStartupInfoAGetModuleFileNameAGetLocaleInfoAGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterRtlUnwindRaiseExceptionGetStdHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringSysReAllocStringLenSysAllocStringLenkernel32.dllGetModuleHandleAadvapi32.dllRegOpenKeyExARegEnumKeyAFreeSidkernel32.dllWriteFileSleepLocalFreeLoadLibraryExWLoadLibraryAGlobalUnlockGlobalLockGetTickCountGetSystemInfoGetProcAddressGetModuleHandleAGetModuleFileNameAGetFileAttributesWGetCurrentProcessIdGetCurrentProcessFreeLibraryFindNextFileWFindFirstFileWFindCloseExitProcessDeleteFileWCreateDirectoryWCopyFileWgdi32.dllSelectObjectDeleteObjectDeleteDCCreateCompatibleDCCreateCompatibleBitmapBitBltuser32.dllReleaseDCGetSystemMetricsGetDCCharToOemBuffAole32.dllOleInitializeCoCreateInstance base_address: 0x0041d000 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: base_address: 0x0041e000 process_identifier: 6200 process_handle: 0x000004c8	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6200 process_handle: 0x000004c8	1	1
NtSetContextThread May 1, 2021, 9:28 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000004cc process_identifier: 6200	1	0
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x000004cc suspend_count: 1 process_identifier: 6200	1	0
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 8724	1	0
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 8724	1	0
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 8724	1	0
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 8724	1	0
CreateProcessInternalW May 1, 2021, 9:28 a.m.	thread_identifier: 7076 thread_handle: 0x00000274 process_identifier: 6912 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\ozflkjgfkldsad.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000278	1	1
NtGetContextThread May 1, 2021, 9:28 a.m.	thread_handle: 0x00000274	1	0
NtAllocateVirtualMemory May 1, 2021, 9:28 a.m.	process_identifier: 6912 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000278	1	0
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $8±K¿\|Ð%ì\|Ð%ì\|Ð%ìï½ì}Ð%ì¦»ìdÐ%ì¦ìùÐ%ì¦ìOÐ%ìu¨¦ì~Ð%ìu¨¶ì{Ð%ì\|Ð$ìÐ%ì¦ìvÐ%ì¦¸ì}Ð%ìRich\|Ð%ìPELÎ^à 0âz@@@D¨Pôh@@.text.0 `.rdatalq@r4@@.data¨CÀ¦@À.reloc0+,¸@B base_address: 0x00400000 process_identifier: 6912 process_handle: 0x00000278	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: base_address: 0x00401000 process_identifier: 6912 process_handle: 0x00000278	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: base_address: 0x00424000 process_identifier: 6912 process_handle: 0x00000278	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: base_address: 0x0042c000 process_identifier: 6912 process_handle: 0x00000278	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: base_address: 0x00431000 process_identifier: 6912 process_handle: 0x00000278	1	1
WriteProcessMemory May 1, 2021, 9:28 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 6912 process_handle: 0x00000278	1	1
NtSetContextThread May 1, 2021, 9:28 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4291211 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000274 process_identifier: 6912	1	0
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 6912	1	0
NtResumeThread May 1, 2021, 9:28 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 6200	1	0

azflkjgfkldsad.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All