Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 22, 2021, 6:08 p.m.	June 22, 2021, 6:11 p.m.

Size	251.4KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`28906318e1bfa9949cd086e807a0f220`
SHA256	`3c4c4cb0e9a48e8203ebe67da38dcfdc0d888213424ddd335a767f6a04e798ff`
CRC32	`69A937B2`
ssdeep	`3072:Fw5tuhTTKtpWAFPmM9Kx067MjdfOW7B9tNY12xGLgzONzW:FkgxAFfOWN/o2x8gzONi`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

prince_of_persia_P_v4_x86.exe "C:\Users\test22\AppData\Local\Temp\prince_of_persia_P_v4_x86.exe"
2208
- netsh.exe C:\Windows\system32\netsh.exe
  6192

Name	Response	Post-Analysis Lookup
nidhoggr.club	A 185.112.146.165	185.112.146.165

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.112.146.165	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49812 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49816 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49815 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49810 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49819 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49814 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49820 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49822 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49821 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49813 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49817 -> 185.112.146.165:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49812 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49816 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49815 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49810 185.112.146.165:443	CN=nidhoggr.club	CN=nidhoggr.club	40:61:70:26:a9:4a:6d:c3:cc:d3:c8:7c:bb:33:aa:c0:00:12:d0:6f
TLSv1 192.168.56.102:49818 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49819 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49814 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49820 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49822 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49821 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49813 185.112.146.165:443	None	None	None
TLSv1 192.168.56.102:49817 185.112.146.165:443	None	None	None

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 22, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 22, 2021, 6:08 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 22, 2021, 6:08 p.m.			0	0
IsDebuggerPresent June 22, 2021, 6:08 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA June 22, 2021, 6:08 p.m.	buffer: netsh> console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 110 events)

Time & API	Arguments	Status	Return
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007867f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007867f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007868b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007868b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007869b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786cb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786bb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 22, 2021, 6:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00786c78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 22, 2021, 6:08 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardousd1cdbebf-220a-4726-87c6-1c3855c9c262/?poP7OSkLBNturHY

Performs some HTTP requests (20 events)

request	GET https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/
request	GET https://nidhoggr.club/isabelle/Hulda/dark/isabella?crepuscular=isadoradcc4d3c3-0e97-40ed-98bc-e856a5c2f8ca/?poP7OSkLBNturHY
request	POST https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardousd1cdbebf-220a-4726-87c6-1c3855c9c262/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/subreptice/corrosive/slither/evil/suzie/undiscovered/unbeaten/noiselessly/Isidora/noisemaking/ivy?giustina=dark10f9ba50-c5d1-4e00-ab9e-541e6144061f/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/dim/hildagarde/grey/Iseabal/7326892f-c4f3-4728-9b5e-a22d33c3b139/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardous1e58acfe-6387-4707-b70e-6e95181f902f/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/noised/noiseful/malicious/drab/unbeaten/shadow/39152ab9-6ffb-4b19-811e-e9538a897d93/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/turbulent/Ivette/nova/dull/fighter?fading=isabellaff06fa1a-1992-43ef-9704-2913c9b2299e/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/Gizela/ivie/jaquelyn/isabelita/Honor/noiseless/780990e3-289e-448e-9ae9-2674b0e3f3a2/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/suzie/suzette/nuclear/unknown/metallic/discreet/undercover/dark?ivy=isis7da76ce4-eabc-48f5-b3df-769296a4b738/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/dreary/dull/Isahella/isobel/cheerless/dull/cheerless/noisefulness/counternoise?spy=champion7312d3e3-fe83-4e36-a09f-2faea02ce400/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/jasmina/jaquenette/obscure/dull/dormant?strange=cheerless5039d36f-1fe0-46d6-a3bc-d0d81257b6fe/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/noisefulness/Hyacinth/ballistic/hynda?silent=faultyc5390449-e189-426e-a0a4-7167c229cd83/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/issie/furtive/Hyacintha/noise/undiscovered/hazardous/Ivette?Adelina=noised994b6e21-8a8f-4128-bfc4-7637963c9483/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/Gizela/unrecognized/noiselessly/colorless/nova?Odilia=janayaeb53ebd1-51a1-41df-8408-4370caceac3e/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/dolorous/sneaky/janaya/5055beb4-7979-414a-bfc0-644fa8e029fb/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/Hildagard/ivory/spy/evil/Hyacintha/unrecognized/quiet/Hyacintha/ghost/dark/ae029445-9427-40f7-bb59-2b36300b52e6/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/jaquelyn/stygian/corrosive/drab/jaquith/hyacinthe/hunter/Hope/winterly/joyless?colorless=iviee714bab2-5dfd-491a-a93f-d380656997c1/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/issie/furtive/Hyacintha/noise/undiscovered/hazardous/Ivette?Adelina=noised1e38d28d-61d7-460d-a3f0-89548c65ef63/?poP7OSkLBNturHY
request	GET https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/2ee38670-d342-4fec-99b0-a4f7f4bea0e4/?poP7OSkLBNturHY

Sends data using the HTTP POST Method (1 event)

request

POST https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardousd1cdbebf-220a-4726-87c6-1c3855c9c262/?poP7OSkLBNturHY

Allocates read-write-execute memory (usually to unpack itself) (50 out of 226 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f881000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f882000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77400000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00df6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ded000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00df7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00def000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 22, 2021, 6:08 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 22, 2021, 6:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\system32\netsh.exe

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 22, 2021, 6:08 p.m.	process_identifier: 6192 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000004c	1	0	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Generic.Exploit.Shellcode.RDI.4.9B597319
ALYac	Generic.Exploit.Shellcode.RDI.4.9B597319
Cylance	Unsafe
Zillya	Trojan.Injector.Win32.832334
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00570e801 )
K7GW	Trojan ( 00570e801 )
Cybereason	malicious.8e1bfa
Arcabit	Generic.Exploit.Shellcode.RDI.4.9B597319
BitDefenderTheta	Gen:NN.ZexaF.34678.p8Y@aeK1PWl
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.ENCW
APEX	Malicious
Avast	Win32:InjectorX-gen [Trj]
BitDefender	Generic.Exploit.Shellcode.RDI.4.9B597319
NANO-Antivirus	Trojan.Win32.Zenpak.imccim
Rising	Trojan.Injector!8.C4 (RDMK:cmRtazrVVPuJckTUjWVpm08mp3oT)
Ad-Aware	Generic.Exploit.Shellcode.RDI.4.9B597319
Emsisoft	Generic.Exploit.Shellcode.RDI.4.9B597319 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.dm
FireEye	Generic.mg.28906318e1bfa994
Ikarus	Trojan.Win32.Meterpreter
Avira	TR/Hijacker.Gen
Microsoft	VirTool:MSIL/PoshC2.D
GData	Generic.Exploit.Shellcode.RDI.4.9B597319
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.R361916
MAX	malware (ai score=80)
VBA32	BScope.Trojan-Dropper.Inject
AVG	Win32:InjectorX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_60% (W)

prince_of_persia_P_v4_x86.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All