Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 29, 2021, 9:55 a.m.	June 29, 2021, 9:57 a.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`16493223940cd99199a672e44dec05d6`
SHA256	`7b844cc75f594f536f486b137817a497407b689725ab45c7904444e82374d4ac`
CRC32	`9FF135F5`
ssdeep	`24576:m92KPqd9u0yepqI5DpBa4w3JhGdvpJhHmAc+dYTTRKwUvC5YYGayq1FOXTK8HidV:s2fyepz5DpLwnaxbc1t4iCaDvkKpdV`
Yara	OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

idu9A98.exe "C:\Users\test22\AppData\Local\Temp\idu9A98.exe"
2952
- idu9A98.exe "C:\Users\test22\AppData\Local\Temp\idu9A98.exe"
  1836
  - idu9A98.exe "C:\Users\test22\AppData\Local\Temp\idu9A98.exe"
    7528
    - WerFault.exe C:\Windows\system32\WerFault.exe
      8956

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
172.241.27.226	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 29, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 29, 2021, 9:55 a.m.	computer_name: TEST22-PC	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 29, 2021, 9:55 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.flat

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (15 events)

Time & API	Arguments	Status	Return
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: SearchIndexer.exe process_identifier: 2548	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: thunderbird.exe process_identifier: 3960	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: pw.exe process_identifier: 5008	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: audiodg.exe process_identifier: 7936	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: splwow64.exe process_identifier: 3928	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: SearchProtocolHost.exe process_identifier: 3816	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: SearchFilterHost.exe process_identifier: 7776	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: mobsync.exe process_identifier: 6504	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: pw.exe process_identifier: 2596	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: taskhost.exe process_identifier: 7240	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: cmd.exe process_identifier: 7564	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: conhost.exe process_identifier: 1040	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: pw.exe process_identifier: 4244	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: idu9A98.exe process_identifier: 2952	1	1
Process32NextW June 29, 2021, 9:55 a.m.	snapshot_handle: 0x00000040 process_name: idu9A98.exe process_identifier: 1836	1	1

Expresses interest in specific running processes (1 event)

process

idu9a98.exe

Yara rule detected in process memory (13 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 2b98c071f876aba59c0bb0b876c1c561381e142e

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	172.241.27.226

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 29, 2021, 9:55 a.m.	process_identifier: 7528 region_size: 565248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000048	1	0	0

Potential code injection by writing to the memory of another process (50 out of 624 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $YUjR444L44^4Þ;Y4Þ;[4Þ;4Ïo4Ïo4Ïo4Rich4PELå"Ú`àbÐ @40ð .textèab `.rdata f@@.dataöôp@À.reloc0d@B base_address: 0x011b0000 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: hR,úâÊ®F:.âð&2BPfz¨¶ÊÜìü"&<N^l~ ¶ÊàövÀªvbxJ.`Tôêàkernel32.dllCreateProcessWCreateProcessAadvapi32.dllCreateProcessAsUserWCreateProcessAsUserANTDLL.DLLLdrLoadDllLdrGetProcedureAddressNtProtectVirtualMemoryNTDLL.DLLå"Ú` èhC.textP].text$mn .idata$5 ì.rdataè.rdata$zzzdbgø<.xdata$x4x.idata$2¬.idata$3À .idata$4à².idata$6ô.data.bssÿÿÿÿ#6@)6@ÿÿÿÿ´b@Äb@ÿÿÿÿ¸]@È]@ÿÿÿÿ V@7V@¼Jü¤äØÌÀ<´VôØhR,úâÊ®F:.âð&2BPfz¨¶ÊÜìü"&<N^l~ ¶ÊàövÀªvbxJ.`TôêàHmemsetFmemcpyNtUnmapViewOfSectionàZwCloseRtlNtStatusToDosErroriZwQueryInformationProcessntdll.dllRtlUnwind5NtQueryVirtualMemory:PathCombineW6StrRChrAStrChrASHLWAPI.dllEnumProcessModulesGetModuleFileNameExAPSAPI.DLLDLocalAllocKLocalReAllocHLocalFree%WriteFileRCloseHandleNlstrlenWCreateEventAtOpenEventAGetModuleFileNameWGetModuleHandleA¨CreateProcessWExpandEnvironmentStringsWCreateFileWGetComputerNameW¼SwitchToThreadGetLastErrorResumeThread²SleepGetModuleHandleW¢GetVersionÁGetCurrentProcessIdEGetProcAddresséVirtualAllocìVirtualFreeêVirtualAllocExOpenProcessÀGetCurrentProcess©CreateRemoteThreadÃReadProcessMemory.WriteProcessMemoryùWaitForSingleObjectðGetFileSizeÀReadFilefSetFilePointerDlstrcmpiAGlstrcpyA>lstrcatAMlstrlenAGetModuleFileNameACreateFileAWMapViewOfFileCreateFileMappingWïVirtualProtectâInitializeCriticalSectionîEnterCriticalSection9LeaveCriticalSectionÑDeleteCriticalSectionAlstrcmpAbFreeLibrary<LoadLibraryAKERNEL32.dll2wsprintfAUSER32.dllÃSHGetFolderPathWShellExecuteASHELL32.dll base_address: 0x011b8000 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ä1s1ã1ý12¡2¶2ò233+3?3Ô3à3í34414[4y44´4Ì4Ö45Ý56.6T6b6v66Ù6ã6·7ò7ü788)8/8N8k888£8³8Ç8þ89G9d9v9~9¿9Ü9þ9:$:Q:v:£:Ç:Ì:í:;?;l;³;Õ;ã;4<`<k<u<<Å<ä<õ<==6=G=L=R=e=j===«=°=·=¼=â=>>}>>>>ª>å>??)?k??¬?¼? 10:0K0Q0\00®0¶0Ü0611¤1û12:2C2K2Q2X2^2h2n2y2222£2¬2³2À2É2Ô2í2ö2þ23333 31393@3Q3Y3`3q3y33Â3Ø3ð3¥5«5Ø5Þ566ï6õ677!7B7H7:]:q:¾:É: ;;<û<=I=R=d=w=~=¡=©=®=¼=Á=Ï=Ô=Û=î=÷=> >D>z>>>>¤>ª>³>å>ï>÷>? ??"?,?5?<?^?d?p?~????¢?¨?®?·?¼?Í?Ó?Ù?ß?ê?ø?0¸0¯0ê01 1O1z1¤1¬1ø1ý1I2í2\3¬346455u5N6æ677977Ù748I8P8`8n8u888 8°8¾8Å8/9T99¾9 ;1;?;¢;¬;Í;Õ;Ú;à;ç;ì;ò;<#<><U<]<b<h<o<t<z<<¼<Ö<=b=u=³=Ù=á= >>I>P>â>è>?%??0?J?R??¤?@Ð00V2A33¦3ç3î344ô4ú4,525I5`5f55646x6ì67'727A7\77ñ78v88µ89:0:®:´:ó:;T;t;;¾;Õ;ß;ú; <p<¤<·<¿<F=\=v=\|==£=©=¶=Ð=Ö=ã=ý=>>>0>=>W>]>j>>>>±>·>Ä>Þ>ä>ñ>???8?>?K?e?k?x???¢?¹?¾?Õ?Ú?ñ?ö?P 00)0.0E0J0a0f0}0000µ0º0Ñ0Ö0í0ò0 111±1Ð1ß1û1 2!202U2e2A3G3x33333Å3â3ë3ô3ý3 4&4+4Ð4555»56s7E8ô8ú8{99î9ô92:m:¶;»;7<½<=5=R==>>¬>ã>í>F?`¶0Ý0é0 111262K22¤2·3Á3$4444:4@4D4I4N4d4j4t4z44444 4¤4©4®4Ä4Ê4Ô4Ú4û4¹5779Â<=ÿ=>>$>+>[>h>n>¼>?9?>?D?K?t?ç?í?pX0Ç0Í0à0Æ1Ì1Ò1Ø1Þ1ä1ü23333 3,303p\;;; ;(;0;<;D;L;X;`;h;t;\|;;;; ;´;¼;Ð;Ø;ì;ô;<<<(<4<@<L<X<d<p<\|<<< <¬<¸<Ä<Ð<@3D3H3 base_address: 0x01239000 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: $ÿuè base_address: 0x011b1118 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ,dÿ5 base_address: 0x011b1173 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ,uQ base_address: 0x011b11e3 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ð#ë SQ base_address: 0x011b11fd process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ð#M base_address: 0x011b1206 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: h#óæ base_address: 0x011b12a1 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#t+@; base_address: 0x011b12b6 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: °#Bû base_address: 0x011b12f2 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#t*A base_address: 0x011b1306 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#tHy base_address: 0x011b1316 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: h#Aÿë base_address: 0x011b132b process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#9B; base_address: 0x011b133f process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: °# É base_address: 0x011b13d4 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: h#ÉÑ base_address: 0x011b13e0 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: l#90t base_address: 0x011b13ed process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#8B; base_address: 0x011b1413 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: h#3À¹° base_address: 0x011b142a process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: °#é& base_address: 0x011b1431 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: <]Â base_address: 0x011b145b process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: D]Â base_address: 0x011b1479 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: @]Â base_address: 0x011b149f process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: M base_address: 0x011b14b4 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: d#àt base_address: 0x011b14cc process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: M base_address: 0x011b14d6 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: `Pèp base_address: 0x011b1516 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ÜÀ base_address: 0x011b15dd process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: z#ý base_address: 0x011b161a process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ìEèP base_address: 0x011b162e process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: dEü base_address: 0x011b1654 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ´z#ý base_address: 0x011b1662 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ìUèR base_address: 0x011b1676 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: dEü base_address: 0x011b169c process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: LUèR base_address: 0x011b16d9 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: Ljèb base_address: 0x011b16e3 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: pUÜR base_address: 0x011b17b7 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: Ôz#UðR base_address: 0x011b17f2 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ôÄ base_address: 0x011b17fc process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: Øz#MðQ base_address: 0x011b180b process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ôÄh base_address: 0x011b1815 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: Üz#ÿh base_address: 0x011b1829 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: hjh base_address: 0x011b182f process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: lEü base_address: 0x011b184e process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: \ÇEè base_address: 0x011b186b process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: PÑàP base_address: 0x011b1885 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: HEüP base_address: 0x011b1899 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: LMðQ base_address: 0x011b18a3 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: TEä base_address: 0x011b18b3 process_identifier: 7528 process_handle: 0x00000048	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $YUjR444L44^4Þ;Y4Þ;[4Þ;4Ïo4Ïo4Ïo4Rich4PELå"Ú`àbÐ @40ð .textèab `.rdata f@@.dataöôp@À.reloc0d@B base_address: 0x011b0000 process_identifier: 7528 process_handle: 0x00000048	1	1	0

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
Cylance	Unsafe
APEX	Malicious
Kaspersky	VHO:Trojan-Ransom.Win32.Crypmodng.gen
McAfee-GW-Edition	BehavesLike.Win32.Generic.vh
FireEye	Generic.mg.16493223940cd991
Microsoft	Program:Win32/Wacapew.C!ml
AhnLab-V3	Malware/Win32.Generic.C3185944
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_87%
BitDefenderTheta	Gen:NN.ZexaF.34770.cA0@aCppeVfk
Cybereason	malicious.966705

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1836 called NtSetContextThread to modify thread in remote process 7528
NtSetContextThread June 29, 2021, 9:55 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 18552784 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000040 process_identifier: 7528	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1836 resumed a thread in remote process 7528
NtResumeThread June 29, 2021, 9:55 a.m.	thread_handle: 0x00000040 suspend_count: 1 process_identifier: 7528	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 635 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 29, 2021, 9:55 a.m.	thread_identifier: 5776 thread_handle: 0x00000040 process_identifier: 1836 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\idu9A98.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000044	1	1
CreateProcessInternalW June 29, 2021, 9:55 a.m.	thread_identifier: 7144 thread_handle: 0x00000040 process_identifier: 7528 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\idu9A98.exe" filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000048	1	1
NtUnmapViewOfSection June 29, 2021, 9:55 a.m.	base_address: 0x011b0000 region_size: 4096 process_identifier: 7528 process_handle: 0x00000048	1	0
NtAllocateVirtualMemory June 29, 2021, 9:55 a.m.	process_identifier: 7528 region_size: 565248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000048	1	0
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $YUjR444L44^4Þ;Y4Þ;[4Þ;4Ïo4Ïo4Ïo4Rich4PELå"Ú`àbÐ @40ð .textèab `.rdata f@@.dataöôp@À.reloc0d@B base_address: 0x011b0000 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: base_address: 0x011b1000 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: hR,úâÊ®F:.âð&2BPfz¨¶ÊÜìü"&<N^l~ ¶ÊàövÀªvbxJ.`Tôêàkernel32.dllCreateProcessWCreateProcessAadvapi32.dllCreateProcessAsUserWCreateProcessAsUserANTDLL.DLLLdrLoadDllLdrGetProcedureAddressNtProtectVirtualMemoryNTDLL.DLLå"Ú` èhC.textP].text$mn .idata$5 ì.rdataè.rdata$zzzdbgø<.xdata$x4x.idata$2¬.idata$3À .idata$4à².idata$6ô.data.bssÿÿÿÿ#6@)6@ÿÿÿÿ´b@Äb@ÿÿÿÿ¸]@È]@ÿÿÿÿ V@7V@¼Jü¤äØÌÀ<´VôØhR,úâÊ®F:.âð&2BPfz¨¶ÊÜìü"&<N^l~ ¶ÊàövÀªvbxJ.`TôêàHmemsetFmemcpyNtUnmapViewOfSectionàZwCloseRtlNtStatusToDosErroriZwQueryInformationProcessntdll.dllRtlUnwind5NtQueryVirtualMemory:PathCombineW6StrRChrAStrChrASHLWAPI.dllEnumProcessModulesGetModuleFileNameExAPSAPI.DLLDLocalAllocKLocalReAllocHLocalFree%WriteFileRCloseHandleNlstrlenWCreateEventAtOpenEventAGetModuleFileNameWGetModuleHandleA¨CreateProcessWExpandEnvironmentStringsWCreateFileWGetComputerNameW¼SwitchToThreadGetLastErrorResumeThread²SleepGetModuleHandleW¢GetVersionÁGetCurrentProcessIdEGetProcAddresséVirtualAllocìVirtualFreeêVirtualAllocExOpenProcessÀGetCurrentProcess©CreateRemoteThreadÃReadProcessMemory.WriteProcessMemoryùWaitForSingleObjectðGetFileSizeÀReadFilefSetFilePointerDlstrcmpiAGlstrcpyA>lstrcatAMlstrlenAGetModuleFileNameACreateFileAWMapViewOfFileCreateFileMappingWïVirtualProtectâInitializeCriticalSectionîEnterCriticalSection9LeaveCriticalSectionÑDeleteCriticalSectionAlstrcmpAbFreeLibrary<LoadLibraryAKERNEL32.dll2wsprintfAUSER32.dllÃSHGetFolderPathWShellExecuteASHELL32.dll base_address: 0x011b8000 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: base_address: 0x011b9000 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ä1s1ã1ý12¡2¶2ò233+3?3Ô3à3í34414[4y44´4Ì4Ö45Ý56.6T6b6v66Ù6ã6·7ò7ü788)8/8N8k888£8³8Ç8þ89G9d9v9~9¿9Ü9þ9:$:Q:v:£:Ç:Ì:í:;?;l;³;Õ;ã;4<`<k<u<<Å<ä<õ<==6=G=L=R=e=j===«=°=·=¼=â=>>}>>>>ª>å>??)?k??¬?¼? 10:0K0Q0\00®0¶0Ü0611¤1û12:2C2K2Q2X2^2h2n2y2222£2¬2³2À2É2Ô2í2ö2þ23333 31393@3Q3Y3`3q3y33Â3Ø3ð3¥5«5Ø5Þ566ï6õ677!7B7H7:]:q:¾:É: ;;<û<=I=R=d=w=~=¡=©=®=¼=Á=Ï=Ô=Û=î=÷=> >D>z>>>>¤>ª>³>å>ï>÷>? ??"?,?5?<?^?d?p?~????¢?¨?®?·?¼?Í?Ó?Ù?ß?ê?ø?0¸0¯0ê01 1O1z1¤1¬1ø1ý1I2í2\3¬346455u5N6æ677977Ù748I8P8`8n8u888 8°8¾8Å8/9T99¾9 ;1;?;¢;¬;Í;Õ;Ú;à;ç;ì;ò;<#<><U<]<b<h<o<t<z<<¼<Ö<=b=u=³=Ù=á= >>I>P>â>è>?%??0?J?R??¤?@Ð00V2A33¦3ç3î344ô4ú4,525I5`5f55646x6ì67'727A7\77ñ78v88µ89:0:®:´:ó:;T;t;;¾;Õ;ß;ú; <p<¤<·<¿<F=\=v=\|==£=©=¶=Ð=Ö=ã=ý=>>>0>=>W>]>j>>>>±>·>Ä>Þ>ä>ñ>???8?>?K?e?k?x???¢?¹?¾?Õ?Ú?ñ?ö?P 00)0.0E0J0a0f0}0000µ0º0Ñ0Ö0í0ò0 111±1Ð1ß1û1 2!202U2e2A3G3x33333Å3â3ë3ô3ý3 4&4+4Ð4555»56s7E8ô8ú8{99î9ô92:m:¶;»;7<½<=5=R==>>¬>ã>í>F?`¶0Ý0é0 111262K22¤2·3Á3$4444:4@4D4I4N4d4j4t4z44444 4¤4©4®4Ä4Ê4Ô4Ú4û4¹5779Â<=ÿ=>>$>+>[>h>n>¼>?9?>?D?K?t?ç?í?pX0Ç0Í0à0Æ1Ì1Ò1Ø1Þ1ä1ü23333 3,303p\;;; ;(;0;<;D;L;X;`;h;t;\|;;;; ;´;¼;Ð;Ø;ì;ô;<<<(<4<@<L<X<d<p<\|<<< <¬<¸<Ä<Ð<@3D3H3 base_address: 0x01239000 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: $ÿuè base_address: 0x011b1118 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ,dÿ5 base_address: 0x011b1173 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ,uQ base_address: 0x011b11e3 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ð#ë SQ base_address: 0x011b11fd process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ð#M base_address: 0x011b1206 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: h#óæ base_address: 0x011b12a1 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#t+@; base_address: 0x011b12b6 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: °#Bû base_address: 0x011b12f2 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#t*A base_address: 0x011b1306 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#tHy base_address: 0x011b1316 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: h#Aÿë base_address: 0x011b132b process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#9B; base_address: 0x011b133f process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: °# É base_address: 0x011b13d4 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: h#ÉÑ base_address: 0x011b13e0 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: l#90t base_address: 0x011b13ed process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: p#8B; base_address: 0x011b1413 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: h#3À¹° base_address: 0x011b142a process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: °#é& base_address: 0x011b1431 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: <]Â base_address: 0x011b145b process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: D]Â base_address: 0x011b1479 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: @]Â base_address: 0x011b149f process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: M base_address: 0x011b14b4 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: d#àt base_address: 0x011b14cc process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: M base_address: 0x011b14d6 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: `Pèp base_address: 0x011b1516 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ÜÀ base_address: 0x011b15dd process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: z#ý base_address: 0x011b161a process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ìEèP base_address: 0x011b162e process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: dEü base_address: 0x011b1654 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ´z#ý base_address: 0x011b1662 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ìUèR base_address: 0x011b1676 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: dEü base_address: 0x011b169c process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: LUèR base_address: 0x011b16d9 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: Ljèb base_address: 0x011b16e3 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: pUÜR base_address: 0x011b17b7 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: Ôz#UðR base_address: 0x011b17f2 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ôÄ base_address: 0x011b17fc process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: Øz#MðQ base_address: 0x011b180b process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: ôÄh base_address: 0x011b1815 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: Üz#ÿh base_address: 0x011b1829 process_identifier: 7528 process_handle: 0x00000048	1	1
WriteProcessMemory June 29, 2021, 9:55 a.m.	buffer: hjh base_address: 0x011b182f process_identifier: 7528 process_handle: 0x00000048	1	1

idu9A98.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All