Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 11:50 p.m.	June 24, 2021, 11:52 p.m.

Size	663.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c1e123df8403bf9087cce44956d6801c`
SHA256	`43b3fa1a455eedfc3a6084046a958b6a41074b92d94ecb5a0262911eab570f86`
CRC32	`5A048B55`
ssdeep	`12288:l9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h8gbgk:vZ1xuVVjfFoynPaVBUR8f+kN10EB1`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen IsPE32 - (no description)

Lady.exe "C:\Users\test22\AppData\Local\Temp\Lady.exe"
2332
- cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h
  2852
  - attrib.exe attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h
    3028
- cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
  1304
  - attrib.exe attrib "C:\Users\test22\AppData\Local\Temp" +s +h
    1632
- notepad.exe notepad
  1892
- smarctscreen.exe "C:\Windows\system32\WinDefender\smarctscreen.exe"
  844
  - notepad.exe notepad
    2480

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.147.242.32	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 24, 2021, 11:50 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0
WriteConsoleW June 24, 2021, 11:50 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 11:50 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 24, 2021, 11:50 p.m.	stacktrace: lady+0x978a @ 0x40978a lady+0x8fef1 @ 0x48fef1 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1637628 registers.edi: 0 registers.eax: 1637628 registers.ebp: 1637708 registers.edx: 0 registers.ebx: 4229144 registers.esi: 1637784 registers.ecx: 7	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 844 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 844 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73702000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

smarctscreen.exe tried to sleep 229 seconds, actually delayed analysis time by 229 seconds

Creates a suspicious process (4 events)

cmdline	cmd.exe /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
cmdline	cmd.exe /k attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h
cmdline	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
cmdline	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Lady.exe

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 24, 2021, 11:50 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /k attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h filepath: cmd.exe	1	1
ShellExecuteExW June 24, 2021, 11:50 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h filepath: cmd.exe	1	1
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 2364 thread_handle: 0x00000280 process_identifier: 1892 current_directory: filepath: track: 1 command_line: notepad filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000290	1	1
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 2316 thread_handle: 0x000001c8 process_identifier: 2480 current_directory: filepath: track: 1 command_line: notepad filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001cc	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (20 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW June 24, 2021, 11:50 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Terminates another process (1 event)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 24, 2021, 11:50 p.m.	status_code: 0x00000000 process_identifier: 1892 process_handle: 0x00000160		0	0

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	cmd.exe /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
cmdline	attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h
cmdline	cmd.exe /k attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h
cmdline	attrib "C:\Users\test22\AppData\Local\Temp" +s +h
cmdline	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
cmdline	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h

Communicates with host for which no DNS query was performed (1 event)

host

46.147.242.32

Allocates execute permission to another process indicative of possible code injection (33 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00190000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1

Installs itself for autorun at Windows startup (14 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit	reg_value	C:\Windows\system32\userinit.exe,C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenfer	reg_value	C:\Windows\system32\WinDefender\smarctscreen.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\Lady.exe

Creates known Fynloski/DarkComet files, registry keys and/or mutexes (3 events)

mutex	DCPERSFWBP
regkey	HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey	HKEY_CURRENT_USER\Software\DC2_USERS

Potential code injection by writing to the memory of another process (33 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: kernel32.dll base_address: 0x000b0000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: user32.dll base_address: 0x000c0000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: Sleep base_address: 0x000d0000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: MessageBoxA base_address: 0x000e0000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: ExitThread base_address: 0x000f0000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: DeleteFileA base_address: 0x00100000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: GetLastError base_address: 0x00110000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: TerminateProcess base_address: 0x00120000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: CloseHandle base_address: 0x00130000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: OpenProcess base_address: 0x00140000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: GetExitCodeProcess base_address: 0x00150000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Lady.exe base_address: 0x001a0000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: ×Isu"suF@Õ?wDTsuÀsuØtususuMtu d base_address: 0x001b0000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: UìSVW]C4PC,PÿPÿSCC8PC0PÿPÿSCC<PC,PÿPÿSCC@PC,PÿPÿSCCDPC,PÿPÿSCCHPC,PÿPÿSCCTPC,PÿPÿSC CLPC,PÿPÿSC$CPPC,PÿPÿSC(ëÿSøthôÿSC\PÿSÀtåCXPjjÿS$ðötWVÿS(WVÿSVÿS jÿS_^[]ÂÀUìÄ@ÿÿÿSV3ÉMôUøEüEüè. ùÿEøè& ùÿu3ÀUhFRGdÿ0d Pÿÿÿ3ÉºDè+ëøÿÇPÿÿÿDÇ\|ÿÿÿfÇE@ÿÿÿPPÿÿÿPjjhjjjEüèÔ ùÿPjè)ùÿ@ÿÿÿEüèNRùÿÀu Eüº\RGèùÿEøè5RùÿÀu Uø3Àèï¡ùÿEôUøèxùÿºdRGÃèüüÿÿF,ºtRGÃèíüÿÿF0ºRGÃèÞüÿÿF4ºRGÃèÏüÿÿF8ºRGÃèÀüÿÿF<º RGÃè±üÿÿF@º¬RGÃè¢üÿÿFDº¼RGÃèüÿÿFHºÐRGÃèüÿÿFTºÜRGÃèuüÿÿFLºèRGÃèfüÿÿFPEôèßùÿÐÃèRüÿÿF\HÿÿÿFXhüRGhSGèç)ùÿPèé)ùÿhSGhSGèÐ)ùÿPèÒ)ùÿFhRGhSGè¸)ùÿPèº)ùÿFhRGhSGè )ùÿPè¢)ùÿFhRGhSGè)ùÿPè)ùÿFh RGhSGèp)ùÿPèr)ùÿFh¬RGhSGèX)ùÿPèZ)ùÿFh¼RGhSGè@)ùÿPèB)ùÿFhÐRGhSGè()ùÿPè*)ùÿF hÜRGhSGè)ùÿPè)ùÿF$hèRGhSGèø(ùÿPèú(ùÿF(j`jÎºNGÃèõûÿÿ3ÀZYYdhMRGEôºèùÿÃ base_address: 0x001c0000 process_identifier: 1892 process_handle: 0x00000290	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: kernel32.dll base_address: 0x000b0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: user32.dll base_address: 0x000c0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: Sleep base_address: 0x000d0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: MessageBoxA base_address: 0x000e0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: CreateProcessA base_address: 0x000f0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: GetLastError base_address: 0x00100000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: SetLastError base_address: 0x00150000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: CreateMutexA base_address: 0x00160000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: CloseHandle base_address: 0x00170000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: ExitThread base_address: 0x00180000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: OpenProcess base_address: 0x00190000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: DCPERSFWBP base_address: 0x001a0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: TerminateProcess base_address: 0x001b0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: GetExitCodeProcess base_address: 0x001c0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: SECURITY_WINDL-KETFP7Y base_address: 0x001d0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: WaitForSingleObject base_address: 0x001e0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: C:\Windows\SysWOW64\WinDefender\smarctscreen.exe base_address: 0x001f0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: ×Isu"suý`uÿsuÀsursu6su©suÕ?wsuØtusuMtukLsu ° base_address: 0x00010000 process_identifier: 2480 process_handle: 0x000001cc	1	1
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: UìÄ¬SVW]C@PC8PÿPÿSCCDPC<PÿPÿSCCTPC8PÿPÿSCCXPC8PÿPÿSCCHPC8PÿPÿSCCLPC8PÿPÿSCCPPC8PÿPÿSC4C`PC8PÿPÿSC,ClPC8PÿPÿSC(ChPC8PÿPÿSC0CdPC8PÿPÿSC CpPC8PÿPÿSC$jÿSCxPjjÿS4ÿS=·u$C\|PjjÿS$øÿtVWÿS0VWÿS(WÿS,jÿS jÿSC\PjjÿS4øÿS=·tRWÿS,ÇE¼DE¬PE¼PjjjjjjCtPjÿSÀt3öhÈE¬PÿSèsÎÿötèë¼hÐÿSë²WÿS,hôÿSë_^[å]ÂUìÄ ÿÿÿSVWMôUøEüEüèëùÿEøèãùÿEôèÛùÿµtÿÿÿ3ÀUh)XGdÿ0d 0ÿÿÿ3ÉºDèÝåøÿÇ0ÿÿÿDÇ\ÿÿÿfÇ`ÿÿÿEüè0MùÿÀu Eüº@XGè{ùÿEøèMùÿÀu Uø3ÀèÑùÿ¿HXG ÿÿÿP0ÿÿÿPjjhjjjEüèOùÿPjè$ùÿ ÿÿÿºTXGÃè±÷ÿÿF8ºdXGÃè¢÷ÿÿF<ºpXGÃè÷ÿÿF@ºxXGÃè÷ÿÿFDºXGÃèu÷ÿÿFTºXGÃèf÷ÿÿFHº¤XGÃèW÷ÿÿFLº´XGÃèH÷ÿÿFPºÄXGÃè9÷ÿÿF`ºÐXGÃè*÷ÿÿFdºÜXGÃè÷ÿÿFp×Ãè÷ÿÿFxºèXGÃè÷ÿÿFlºüXGÃèñöÿÿFhEôèjùÿÐÃèÝöÿÿF\ºYGÃèÎöÿÿFXEøèGùÿÐÃèºöÿÿFt(ÿÿÿF\|h$YGh4YGèO$ùÿPèQ$ùÿh@YGh4YGè8$ùÿPè:$ùÿFhpXGh4YGè $ùÿPè"$ùÿFhxXGhPYGè$ùÿPè $ùÿFhÄXGh4YGèð#ùÿPèò#ùÿF,hXGh4YGèØ#ùÿPèÚ#ùÿFhXGh4YGèÀ#ùÿPèÂ#ùÿFh¤XGh4YGè¨#ùÿPèª#ùÿFh´XGh4YGè#ùÿPè#ùÿF4hüXGh4YGèx#ùÿPèz#ùÿF0hÐXGh4YGè`#ùÿPèb#ùÿF hèXGh4YGèH#ùÿPèJ#ùÿF(hYGh4YGè0#ùÿPè2#ùÿFhÜXGh4YGè#ùÿPè#ùÿF$hjÎº(SGÃèöÿÿ3ÀZYYdh0XGEôºè,ýøÿÃ base_address: 0x00020000 process_identifier: 2480 process_handle: 0x000001cc	1	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA June 24, 2021, 11:50 p.m.	thread_identifier: 0 callback_function: 0x004818f8 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	3474067	0

Creates known Jorik Trojan Files, Registry Keys and/or Mutexes (1 event)

file	C:\Windows\SysWOW64\WinDefender\smarctscreen.exe

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

46.147.242.32:1604

Executed a process and injected code into it, probably while unpacking (50 out of 78 events)

Time & API	Arguments	Status	Return
NtResumeThread June 24, 2021, 11:50 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2332	1	0
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 2228 thread_handle: 0x000002c8 process_identifier: 2852 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d0	1	1
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 1444 thread_handle: 0x000002c8 process_identifier: 1304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002bc	1	1
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 2364 thread_handle: 0x00000280 process_identifier: 1892 current_directory: filepath: track: 1 command_line: notepad filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: kernel32.dll base_address: 0x000b0000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: user32.dll base_address: 0x000c0000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: Sleep base_address: 0x000d0000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: MessageBoxA base_address: 0x000e0000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: ExitThread base_address: 0x000f0000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: DeleteFileA base_address: 0x00100000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: GetLastError base_address: 0x00110000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: TerminateProcess base_address: 0x00120000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: CloseHandle base_address: 0x00130000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: OpenProcess base_address: 0x00140000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: GetExitCodeProcess base_address: 0x00150000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Lady.exe base_address: 0x001a0000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: ×Isu"suF@Õ?wDTsuÀsuØtususuMtu d base_address: 0x001b0000 process_identifier: 1892 process_handle: 0x00000290	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 1892 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000290	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: UìSVW]C4PC,PÿPÿSCC8PC0PÿPÿSCC<PC,PÿPÿSCC@PC,PÿPÿSCCDPC,PÿPÿSCCHPC,PÿPÿSCCTPC,PÿPÿSC CLPC,PÿPÿSC$CPPC,PÿPÿSC(ëÿSøthôÿSC\PÿSÀtåCXPjjÿS$ðötWVÿS(WVÿSVÿS jÿS_^[]ÂÀUìÄ@ÿÿÿSV3ÉMôUøEüEüè. ùÿEøè& ùÿu3ÀUhFRGdÿ0d Pÿÿÿ3ÉºDè+ëøÿÇPÿÿÿDÇ\|ÿÿÿfÇE@ÿÿÿPPÿÿÿPjjhjjjEüèÔ ùÿPjè)ùÿ@ÿÿÿEüèNRùÿÀu Eüº\RGèùÿEøè5RùÿÀu Uø3Àèï¡ùÿEôUøèxùÿºdRGÃèüüÿÿF,ºtRGÃèíüÿÿF0ºRGÃèÞüÿÿF4ºRGÃèÏüÿÿF8ºRGÃèÀüÿÿF<º RGÃè±üÿÿF@º¬RGÃè¢üÿÿFDº¼RGÃèüÿÿFHºÐRGÃèüÿÿFTºÜRGÃèuüÿÿFLºèRGÃèfüÿÿFPEôèßùÿÐÃèRüÿÿF\HÿÿÿFXhüRGhSGèç)ùÿPèé)ùÿhSGhSGèÐ)ùÿPèÒ)ùÿFhRGhSGè¸)ùÿPèº)ùÿFhRGhSGè )ùÿPè¢)ùÿFhRGhSGè)ùÿPè)ùÿFh RGhSGèp)ùÿPèr)ùÿFh¬RGhSGèX)ùÿPèZ)ùÿFh¼RGhSGè@)ùÿPèB)ùÿFhÐRGhSGè()ùÿPè*)ùÿF hÜRGhSGè)ùÿPè)ùÿF$hèRGhSGèø(ùÿPèú(ùÿF(j`jÎºNGÃèõûÿÿ3ÀZYYdhMRGEôºèùÿÃ base_address: 0x001c0000 process_identifier: 1892 process_handle: 0x00000290	1	1
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 2824 thread_handle: 0x00000434 process_identifier: 844 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WinDefender\smarctscreen.exe track: 1 command_line: "C:\Windows\system32\WinDefender\smarctscreen.exe" filepath_r: C:\Windows\system32\WinDefender\smarctscreen.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000440	1	1
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 2672 thread_handle: 0x00000084 process_identifier: 3028 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\attrib.exe track: 1 command_line: attrib "C:\Users\test22\AppData\Local\Temp\Lady.exe" +s +h filepath_r: C:\Windows\system32\attrib.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 2772 thread_handle: 0x00000084 process_identifier: 1632 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\attrib.exe track: 1 command_line: attrib "C:\Users\test22\AppData\Local\Temp" +s +h filepath_r: C:\Windows\system32\attrib.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread June 24, 2021, 11:50 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1892	1	0
NtResumeThread June 24, 2021, 11:50 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 844	1	0
CreateProcessInternalW June 24, 2021, 11:50 p.m.	thread_identifier: 2316 thread_handle: 0x000001c8 process_identifier: 2480 current_directory: filepath: track: 1 command_line: notepad filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001cc	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: kernel32.dll base_address: 0x000b0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: user32.dll base_address: 0x000c0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: Sleep base_address: 0x000d0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: MessageBoxA base_address: 0x000e0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: CreateProcessA base_address: 0x000f0000 process_identifier: 2480 process_handle: 0x000001cc	1	1
NtAllocateVirtualMemory June 24, 2021, 11:50 p.m.	process_identifier: 2480 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001cc	1	0
WriteProcessMemory June 24, 2021, 11:50 p.m.	buffer: GetLastError base_address: 0x00100000 process_identifier: 2480 process_handle: 0x000001cc	1	1

Lady.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All