Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 12, 2021, 9:23 a.m.	May 12, 2021, 9:31 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9ed17a3e5105ce4397d81965069ac0a8`
SHA256	`4f8e0185fbd30f92a58d1846b85105db4942fb932c10c57705e6ff1a856d804d`
CRC32	`A5941BD9`
ssdeep	`1536:DhBveHJO7ezqnZ/vIqXVGPKwlzlEtxO19eJgijxI0pti+nkH367BLy3dEkKCV4CL:Dh2EgFbL`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

EIO.exe "C:\Users\test22\AppData\Local\Temp\EIO.exe"
656
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
  4936
  - timeout.exe timeout 1
    7400
- EIO.exe "C:\Users\test22\AppData\Local\Temp\EIO.exe"
  8800
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs"
    3752
    - cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\win.exe"
      6200
      - win.exe C:\Users\test22\AppData\Roaming\win.exe
        6472
        
        cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
        3812
        
        timeout.exe timeout 1
        4004
        
        win.exe "C:\Users\test22\AppData\Roaming\win.exe"
        7476

Name	Response	Post-Analysis Lookup
ghdyuienah123.freedynamicdns.org	A 46.243.248.86	46.243.248.86

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
46.243.248.86	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2028680	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org	Potentially Bad Traffic
UDP 192.168.56.102:61459 -> 164.124.101.2:53	2028680	ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 12, 2021, 9:23 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 12, 2021, 9:23 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2021, 9:23 a.m.			0	0
IsDebuggerPresent May 12, 2021, 9:23 a.m.			0	0
IsDebuggerPresent May 12, 2021, 9:23 a.m.			0	0
IsDebuggerPresent May 12, 2021, 9:23 a.m.			0	0
IsDebuggerPresent May 12, 2021, 9:23 a.m.			0	0
IsDebuggerPresent May 12, 2021, 9:23 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 12, 2021, 9:23 a.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1
WriteConsoleW May 12, 2021, 9:23 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1
WriteConsoleW May 12, 2021, 9:23 a.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1
WriteConsoleW May 12, 2021, 9:23 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey May 12, 2021, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00568fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00568fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00762a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2021, 9:23 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 12, 2021, 9:23 a.m.	stacktrace: 0x6d5b44 0x6d5077 0x6d069f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d3711 @ 0x64e83711 mscorlib+0x308f2d @ 0x64eb8f2d mscorlib+0x2cb060 @ 0x64e7b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737 mscorlib+0x2d36ad @ 0x64e836ad mscorlib+0x308f2d @ 0x64eb8f2d microsoft+0x50c17 @ 0x72a20c17 microsoft+0x3f33f @ 0x72a0f33f microsoft+0x3edf8 @ 0x72a0edf8 microsoft+0x3e3b9 @ 0x72a0e3b9 microsoft+0x17e980 @ 0x72b4e980 system+0x3cdb3f @ 0x648cdb3f 0x20f04d4 0x6d0487 0x6d02bb 0x6d007c DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x743ef5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74467f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74464de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 0f b6 01 88 02 0f b6 41 01 88 42 01 0f bf 45 e0 exception.instruction: movzx eax, byte ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0x305ada exception.address: 0x64eb5ada registers.esp: 6481348 registers.edi: 6481372 registers.eax: 0 registers.ebp: 6481384 registers.edx: 6481352 registers.ebx: 43893988 registers.esi: 11337807 registers.ecx: 11337807	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 12, 2021, 9:23 a.m.

stacktrace:

0x6d5b44
0x6d5077
0x6d069f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737
mscorlib+0x2d3711 @ 0x64e83711
mscorlib+0x308f2d @ 0x64eb8f2d
mscorlib+0x2cb060 @ 0x64e7b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6f502652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x6f581838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x6f581737
mscorlib+0x2d36ad @ 0x64e836ad
mscorlib+0x308f2d @ 0x64eb8f2d
microsoft+0x50c17 @ 0x72a20c17
microsoft+0x3f33f @ 0x72a0f33f
microsoft+0x3edf8 @ 0x72a0edf8
microsoft+0x3e3b9 @ 0x72a0e3b9
microsoft+0x17e980 @ 0x72b4e980
system+0x3cdb3f @ 0x648cdb3f
0x20f04d4
0x6d0487
0x6d02bb
0x6d007c
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6f51264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6f512e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6f5c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6f5c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6f651dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6f651e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6f651f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6f65416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x743ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74467f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74464de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 0f b6 01 88 02 0f b6 41 01 88 42 01 0f bf 45 e0
exception.instruction: movzx eax, byte ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol: mscorlib+0x305ada
exception.address: 0x64eb5ada
registers.esp: 6481348
registers.edi: 6481372
registers.eax: 0
registers.ebp: 6481384
registers.edx: 6481352
registers.ebx: 43893988
registers.esi: 11337807
registers.ecx: 11337807

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 142 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00631000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 30 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fffff process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400007 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040000b process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040000f process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400015 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040001b process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040001f process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400027 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040002b process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400033 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040003b process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040004b process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040004f process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400053 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400057 process_handle: 0xffffffff		3221225550

A process attempted to delay the analysis task. (1 event)

description

win.exe tried to sleep 338 seconds, actually delayed analysis time by 338 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a suspicious process (3 events)

cmdline	cmd.exe /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\win.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 12, 2021, 9:23 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1
ShellExecuteExW May 12, 2021, 9:23 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.vbs	1	1
ShellExecuteExW May 12, 2021, 9:23 a.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Users\test22\AppData\Roaming\win.exe" filepath: cmd	1	1
ShellExecuteExW May 12, 2021, 9:23 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 12, 2021, 9:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 12, 2021, 9:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (38 events)

description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess May 12, 2021, 9:23 a.m.	status_code: 0xffffffff process_identifier: 2060 process_handle: 0x000003dc
NtTerminateProcess May 12, 2021, 9:23 a.m.	status_code: 0xffffffff process_identifier: 2060 process_handle: 0x000003dc	1
NtTerminateProcess May 12, 2021, 9:23 a.m.	status_code: 0xffffffff process_identifier: 6912 process_handle: 0x000003e4
NtTerminateProcess May 12, 2021, 9:23 a.m.	status_code: 0xffffffff process_identifier: 6912 process_handle: 0x000003e4	1

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 676e91dbaad3911c203a99d4b8e6650b925e6057

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 8800 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d0	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 2060 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c0		3221225496
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 6912 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d8		3221225496
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 7476 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e0	1	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win				reg_value	"C:\Users\test22\AppData\Roaming\win.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win				reg_value	"C:\Users\test22\AppData\Roaming\win.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 6472 manipulating memory of non-child process 2060
Process injection	Process 6472 manipulating memory of non-child process 6912
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 2060 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c0	3221225496	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 6912 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d8	3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 8800 process_handle: 0x000003d0	1	1	0
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 7476 process_handle: 0x000003e0	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 12, 2021, 9:23 a.m.	thread_identifier: 0 callback_function: 0x004052ba hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	53150201	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.9ed17a3e5105ce43
McAfee	Artemis!9ED17A3E5105
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.4d42cc
Cyren	W32/MSIL_Kryptik.DNB.gen!Eldorado
APEX	Malicious
McAfee-GW-Edition	Artemis!Trojan
Ikarus	Trojan.MSIL.PSW
Cynet	Malicious (score: 100)
SentinelOne	Static AI - Malicious PE

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 656 called NtSetContextThread to modify thread in remote process 8800
Process injection	Process 6472 called NtSetContextThread to modify thread in remote process 7476
NtSetContextThread May 12, 2021, 9:23 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4276132 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003cc process_identifier: 8800	1	0	0
NtSetContextThread May 12, 2021, 9:23 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4276132 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003e4 process_identifier: 7476	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	cmd /c "C:\Users\test22\AppData\Roaming\win.exe"
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\win.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 656 resumed a thread in remote process 8800
Process injection	Process 6472 resumed a thread in remote process 7476
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000003cc suspend_count: 1 process_identifier: 8800	1	0	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 7476	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

46.243.248.86:2006

Executed a process and injected code into it, probably while unpacking (48 events)

Time & API	Arguments	Status	Return
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 656	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 656	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 3172 thread_handle: 0x000003c0 process_identifier: 4936 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003c8	1	1
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 5980 thread_handle: 0x000003cc process_identifier: 8800 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\EIO.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\EIO.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003d0	1	1
NtGetContextThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000003cc	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 8800 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d0	1	0
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x00400000 process_identifier: 8800 process_handle: 0x000003d0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x00401000 process_identifier: 8800 process_handle: 0x000003d0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x00415000 process_identifier: 8800 process_handle: 0x000003d0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x0041b000 process_identifier: 8800 process_handle: 0x000003d0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x0041d000 process_identifier: 8800 process_handle: 0x000003d0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x0041e000 process_identifier: 8800 process_handle: 0x000003d0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 8800 process_handle: 0x000003d0	1	1
NtSetContextThread May 12, 2021, 9:23 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4276132 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003cc process_identifier: 8800	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000003cc suspend_count: 1 process_identifier: 8800	1	0
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 1472 thread_handle: 0x00000084 process_identifier: 7400 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 1 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x0000026c suspend_count: 1 process_identifier: 8800	1	0
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 2228 thread_handle: 0x00000290 process_identifier: 3752 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000284	1	1
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 3624 thread_handle: 0x000002d0 process_identifier: 6200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\win.exe" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 4672 thread_handle: 0x00000084 process_identifier: 6472 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\win.exe track: 1 command_line: C:\Users\test22\AppData\Roaming\win.exe filepath_r: C:\Users\test22\AppData\Roaming\win.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 6472	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 6472	1	0
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 7532 thread_handle: 0x000003cc process_identifier: 3812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d4	1	1
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 6596 thread_handle: 0x000003d4 process_identifier: 2060 current_directory: filepath: C:\Users\test22\AppData\Roaming\win.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\win.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003c0	1	1
NtGetContextThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000003d4	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 2060 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003c0		3221225496
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 7076 thread_handle: 0x000003dc process_identifier: 6912 current_directory: filepath: C:\Users\test22\AppData\Roaming\win.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\win.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003d8	1	1
NtGetContextThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000003dc	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 6912 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003d8		3221225496
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 7912 thread_handle: 0x000003e4 process_identifier: 7476 current_directory: filepath: C:\Users\test22\AppData\Roaming\win.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\win.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003e0	1	1
NtGetContextThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000003e4	1	0
NtAllocateVirtualMemory May 12, 2021, 9:23 a.m.	process_identifier: 7476 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003e0	1	0
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x00400000 process_identifier: 7476 process_handle: 0x000003e0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x00401000 process_identifier: 7476 process_handle: 0x000003e0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x00415000 process_identifier: 7476 process_handle: 0x000003e0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x0041b000 process_identifier: 7476 process_handle: 0x000003e0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x0041d000 process_identifier: 7476 process_handle: 0x000003e0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: base_address: 0x0041e000 process_identifier: 7476 process_handle: 0x000003e0	1	1
WriteProcessMemory May 12, 2021, 9:23 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 7476 process_handle: 0x000003e0	1	1
NtSetContextThread May 12, 2021, 9:23 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4276132 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003e4 process_identifier: 7476	1	0
NtResumeThread May 12, 2021, 9:23 a.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 7476	1	0
CreateProcessInternalW May 12, 2021, 9:23 a.m.	thread_identifier: 8300 thread_handle: 0x00000084 process_identifier: 4004 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 1 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

EIO.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All