Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 3, 2021, 9:39 a.m.	July 3, 2021, 9:41 a.m.

Size	37.4KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c7a592e62fb6a5741c38a31b2fcee21b`
SHA256	`4d8eaf37de32a6ff36c965b6e616e2085e2d1bd46e75344ca1fea59178c19f15`
CRC32	`7160FF63`
ssdeep	`768:q6XafEqnwgyDJnilc0kW2dGflfIubwC3pJvU7j1RgpMb88Ihl:bafJwgJcz7MpJijW8W`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

ashleybinx.exe "C:\Users\test22\AppData\Local\Temp\ashleybinx.exe"
2444
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ashleybinx.exe" -Force
  1396
- cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 1
  1812
  - timeout.exe timeout 1
    1760
- ashleybinx.exe "C:\Users\test22\AppData\Local\Temp\ashleybinx.exe"
  2064

Name	Response	Post-Analysis Lookup
www.wounded-deer.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.templejc.space
www.multitraditional.com	CNAME multitraditional.com A 144.168.44.250	144.168.44.250
www.waaaghstore.com	CNAME www35.wixdns.net CNAME balancer.wixdns.net CNAME 47363d5c-balancer.wixdns.net CNAME td-balancer-ae1-190-141.wixdns.net A 34.80.190.141	34.80.190.141
www.shopcavo.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
kakosidobrosam.gq	A 104.21.67.197 A 172.67.180.37	104.21.67.197
www.tigersonindonesia.com	CNAME tigersonindonesia.com A 103.28.53.180	103.28.53.180
www.jjayphoto.com	A 154.215.102.140	154.215.102.140
www.wxsocial.net	CNAME wxsocial.net A 184.168.131.241	184.168.131.241
www.poetasamigosypensadores.com	CNAME poetasamigosypensadores.com A 35.209.112.216	35.209.112.216
www.m-midas.com	A 194.63.249.211	194.63.249.211
www.ossotasarim.com	CNAME www.ossotasarim.com.cdn.cloudflare.net A 104.21.17.25 A 172.67.219.157	172.67.219.157
www.dawnjarvisltd.com	CNAME us17-76bc7bfd-e6119fae940acdf99cd5171f5.pages.mailchi.mp CNAME terminator.capstone.com.akadns.net A 205.201.140.137 A 205.201.132.26	205.201.132.26
www.deliciousnukes.com	CNAME deliciousnukes.com A 34.102.136.180	34.102.136.180
www.seswebsite.com	A 107.178.171.23	107.178.171.23

IP Address	Status	Action
103.28.53.180	Active	Moloch
104.21.17.25	Active	Moloch
104.21.67.197	Active	Moloch
107.178.171.23	Active	Moloch
144.168.44.250	Active	Moloch
154.215.102.140	Active	Moloch
164.124.101.2	Active	Moloch
184.168.131.241	Active	Moloch
194.63.249.211	Active	Moloch
205.201.140.137	Active	Moloch
23.227.38.74	Active	Moloch
34.102.136.180	Active	Moloch
34.80.190.141	Active	Moloch
35.209.112.216	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:62324 -> 164.124.101.2:53	2025104	ET INFO DNS Query for Suspicious .gq Domain	Potentially Bad Traffic
TCP 192.168.56.101:49199 -> 104.21.67.197:443	2025108	ET INFO Suspicious Domain (*.gq) in TLS SNI	Potentially Bad Traffic
TCP 192.168.56.101:49199 -> 104.21.67.197:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49199 104.21.67.197:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a2:99:7f:61:26:e9:24:3e:96:d0:98:83:eb:e0:35:eb:07:a8:19:f8

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 3, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 3, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 3, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 3, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 3, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 3, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 3, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 3, 2021, 9:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 3, 2021, 9:39 a.m.			0	0
IsDebuggerPresent July 3, 2021, 9:39 a.m.			0	0
IsDebuggerPresent July 3, 2021, 9:39 a.m.			0	0
IsDebuggerPresent July 3, 2021, 9:39 a.m.			0	0
IsDebuggerPresent July 3, 2021, 9:39 a.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\ashl console_handle: 0x00000053	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: eybinx.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: Waiting for 1 console_handle: 0x00000007	1	1
WriteConsoleW July 3, 2021, 9:39 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (49 events)

Time & API	Arguments	Status	Return
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfa90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfa90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfa90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfa90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfa90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfa90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfe10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bf690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 3, 2021, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0310 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2021, 9:39 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ July 3, 2021, 9:39 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 system+0x1a8397 @ 0x6f468397 system+0x1a5c90 @ 0x6f465c90 system+0x1a5b5c @ 0x6f465b5c system+0x1914c7 @ 0x6f4514c7 system+0x1c3126 @ 0x6f483126 system+0x1c31d9 @ 0x6f4831d9 0x6626c3 0x6600d4 0x660076 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 4647728 registers.edi: 0 registers.eax: 4647728 registers.ebp: 4647808 registers.edx: 0 registers.ebx: 6474488 registers.esi: 5785448 registers.ecx: 2529077780	1
__exception__ July 3, 2021, 9:39 a.m.	stacktrace: 0x6641bb 0x66390e 0x662e69 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x727c564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x7279be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x7279b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x7279b726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x7279bf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x7279bce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x7275cca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x7275cd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x72848841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x727c14e9 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d microsoft+0x50c17 @ 0x6f130c17 microsoft+0x3f33f @ 0x6f11f33f microsoft+0x3edf8 @ 0x6f11edf8 microsoft+0x3e3b9 @ 0x6f11e3b9 microsoft+0x17e980 @ 0x6f25e980 0x66049a 0x660076 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 7a 6e 85 6f c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x664263 registers.esp: 4643048 registers.edi: 4643068 registers.eax: 0 registers.ebp: 4643080 registers.edx: 36442664 registers.ebx: 4643664 registers.esi: 36442664 registers.ecx: 0	1
__exception__ July 3, 2021, 9:39 a.m.	stacktrace: 0x664207 0x66390e 0x662e69 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x72769df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x72769e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x72769efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x72769fa2 LogHelp_TerminateOnAssert+0x16b0b GetPrivateContextsPerfCounters-0x2937 clr+0x8564b @ 0x727c564b CreateAssemblyNameObject+0x2e9ca GetMetaDataInternalInterface-0x9aa5 clr+0x5be63 @ 0x7279be63 CreateAssemblyNameObject+0x2e4ff GetMetaDataInternalInterface-0x9f70 clr+0x5b998 @ 0x7279b998 CreateAssemblyNameObject+0x2e28d GetMetaDataInternalInterface-0xa1e2 clr+0x5b726 @ 0x7279b726 CreateAssemblyNameObject+0x2eacf GetMetaDataInternalInterface-0x99a0 clr+0x5bf68 @ 0x7279bf68 CreateAssemblyNameObject+0x2e84b GetMetaDataInternalInterface-0x9c24 clr+0x5bce4 @ 0x7279bce4 DllRegisterServerInternal+0xa898 CoUninitializeEE-0x2ba0 clr+0x1cca4 @ 0x7275cca4 DllRegisterServerInternal+0xa92b CoUninitializeEE-0x2b0d clr+0x1cd37 @ 0x7275cd37 DllGetClassObjectInternal+0x437c8 CorDllMainForThunk-0x48d33 clr+0x108841 @ 0x72848841 LogHelp_TerminateOnAssert+0x129a9 GetPrivateContextsPerfCounters-0x6a99 clr+0x814e9 @ 0x727c14e9 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d microsoft+0x50c17 @ 0x6f130c17 microsoft+0x3f33f @ 0x6f11f33f microsoft+0x3edf8 @ 0x6f11edf8 microsoft+0x3e3b9 @ 0x6f11e3b9 microsoft+0x17e980 @ 0x6f25e980 0x66049a 0x660076 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 7a 6e 85 6f c7 45 e8 00 00 00 00 c7 45 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x664263 registers.esp: 4643048 registers.edi: 4643068 registers.eax: 0 registers.ebp: 4643080 registers.edx: 127562516 registers.ebx: 4643664 registers.esi: 127562516 registers.ecx: 0	1
__exception__ July 3, 2021, 9:39 a.m.	stacktrace: 0x669916 0x668e6f 0x664497 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d3711 @ 0x6ff13711 mscorlib+0x308f2d @ 0x6ff48f2d mscorlib+0x2cb060 @ 0x6ff0b060 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737 mscorlib+0x2d36ad @ 0x6ff136ad mscorlib+0x308f2d @ 0x6ff48f2d microsoft+0x50c17 @ 0x6f130c17 microsoft+0x3f33f @ 0x6f11f33f microsoft+0x3edf8 @ 0x6f11edf8 microsoft+0x3e3b9 @ 0x6f11e3b9 microsoft+0x17e980 @ 0x6f25e980 0x66049a 0x660076 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 eb 3e 8d 55 e0 0f b6 01 88 02 0f b6 41 01 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: mscorlib+0x324f62 exception.address: 0x6ff64f62 registers.esp: 4645636 registers.edi: 4645660 registers.eax: 0 registers.ebp: 4645672 registers.edx: 0 registers.ebx: 127858476 registers.esi: 4194364 registers.ecx: 4194364	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (15 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dawnjarvisltd.com/ushb/?mHIx40=3SmC3UZByhcbL2mGDdoUlUv2kDP+K/S2WzQTgf/dbZLTYyxdpUCpCwWiKx+wC7XxiANrTe4Z&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.waaaghstore.com/ushb/?mHIx40=d2db7vz8b4gdNrrt4qkzq0tG6Pmid53TShP84iPEhYJEnjJIFmT0kwvEdr2qbrsXJSoEJg75&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.shopcavo.com/ushb/?mHIx40=QYepAKqqZzG2kR/57317p6KhzVHBF5g+kyT5gGECjnJqX6eG1WlH3e963VsDQqp1ReenidM4&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.jjayphoto.com/ushb/?mHIx40=l2QH2d7PUWvRkU9SKQdvN0s95WcJxjd9CPijL6arS0ynTjqyQUYKcLuVD3sUO6nj8FIa5lUc&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.poetasamigosypensadores.com/ushb/?mHIx40=fbMAEC5I5bGZsvMeVZfdSh5kpbdGGNxOXI23Y+fwKREdh+1jMwB4L2byPtlzBsiu6rKFsHuZ&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.deliciousnukes.com/ushb/?mHIx40=CoY64qMwiO6SnAqEo6cwd7vVtOzq42WOKh1biPKYD71bz+rRFAinell2lJMFOMTK0ellYB+l&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tigersonindonesia.com/ushb/?mHIx40=LS6MOTI15xEst6X5E3hLeUbVHph5If8WCZS1PbHDLcXlz/LjLfM6q15glOfELeIimIqtDGOZ&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ossotasarim.com/ushb/?mHIx40=Kis9qagQgFI/pgEC90LDhBb2/hkn9V+B079wctmSP192jSk/5pov+dY2uUpHLbHPLnwA/Tk/&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.seswebsite.com/ushb/?mHIx40=TZZwrrhqgDwgA3wgZEkIn+5Y0i33oms/xFRek6mxYnSgwbHptw7FsqII1T+6/LgkP21MZkXY&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.wounded-deer.com/ushb/?mHIx40=JW6wJS/fCyqdc2JhPnJNDDubHmZuYWrni9atbTQ1vgM5IXg85tcAFndz4NRwlP6sL42SfpTd&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.m-midas.com/ushb/?mHIx40=KETTpM1456fImzG2o/HCqgJBte/IHmJz01Qx96IPJzNgkPHHpmXueOKRfDyrAPg68mjcbOiZ&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.multitraditional.com/ushb/?mHIx40=Oc4WjS4DBu5AvhP85U59EprkqoXzMyfsJMpdZ9aVqZv/kvrlgbGtP2m1bh6Ukc03AoFAKmiH&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.wxsocial.net/ushb/?mHIx40=jD+SQ9M5OhBQJ5/3QGxgtYDN3MBJME7yhC8sQwvm8GBIEkJ4Y0691HdGHFaX56NR4IeIxVKV&_jAPiL=UfgdTxvpJHM
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E322EE0C66235D8B40A9334F1FF263B9.html
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F6E7D76D7517CFB3E9EF1C0C7D4E0D6D.html

Performs some HTTP requests (27 events)

request	POST http://www.dawnjarvisltd.com/ushb/
request	GET http://www.dawnjarvisltd.com/ushb/?mHIx40=3SmC3UZByhcbL2mGDdoUlUv2kDP+K/S2WzQTgf/dbZLTYyxdpUCpCwWiKx+wC7XxiANrTe4Z&_jAPiL=UfgdTxvpJHM
request	POST http://www.waaaghstore.com/ushb/
request	GET http://www.waaaghstore.com/ushb/?mHIx40=d2db7vz8b4gdNrrt4qkzq0tG6Pmid53TShP84iPEhYJEnjJIFmT0kwvEdr2qbrsXJSoEJg75&_jAPiL=UfgdTxvpJHM
request	POST http://www.shopcavo.com/ushb/
request	GET http://www.shopcavo.com/ushb/?mHIx40=QYepAKqqZzG2kR/57317p6KhzVHBF5g+kyT5gGECjnJqX6eG1WlH3e963VsDQqp1ReenidM4&_jAPiL=UfgdTxvpJHM
request	POST http://www.jjayphoto.com/ushb/
request	GET http://www.jjayphoto.com/ushb/?mHIx40=l2QH2d7PUWvRkU9SKQdvN0s95WcJxjd9CPijL6arS0ynTjqyQUYKcLuVD3sUO6nj8FIa5lUc&_jAPiL=UfgdTxvpJHM
request	POST http://www.poetasamigosypensadores.com/ushb/
request	GET http://www.poetasamigosypensadores.com/ushb/?mHIx40=fbMAEC5I5bGZsvMeVZfdSh5kpbdGGNxOXI23Y+fwKREdh+1jMwB4L2byPtlzBsiu6rKFsHuZ&_jAPiL=UfgdTxvpJHM
request	POST http://www.deliciousnukes.com/ushb/
request	GET http://www.deliciousnukes.com/ushb/?mHIx40=CoY64qMwiO6SnAqEo6cwd7vVtOzq42WOKh1biPKYD71bz+rRFAinell2lJMFOMTK0ellYB+l&_jAPiL=UfgdTxvpJHM
request	POST http://www.tigersonindonesia.com/ushb/
request	GET http://www.tigersonindonesia.com/ushb/?mHIx40=LS6MOTI15xEst6X5E3hLeUbVHph5If8WCZS1PbHDLcXlz/LjLfM6q15glOfELeIimIqtDGOZ&_jAPiL=UfgdTxvpJHM
request	POST http://www.ossotasarim.com/ushb/
request	GET http://www.ossotasarim.com/ushb/?mHIx40=Kis9qagQgFI/pgEC90LDhBb2/hkn9V+B079wctmSP192jSk/5pov+dY2uUpHLbHPLnwA/Tk/&_jAPiL=UfgdTxvpJHM
request	GET http://www.seswebsite.com/ushb/?mHIx40=TZZwrrhqgDwgA3wgZEkIn+5Y0i33oms/xFRek6mxYnSgwbHptw7FsqII1T+6/LgkP21MZkXY&_jAPiL=UfgdTxvpJHM
request	POST http://www.wounded-deer.com/ushb/
request	GET http://www.wounded-deer.com/ushb/?mHIx40=JW6wJS/fCyqdc2JhPnJNDDubHmZuYWrni9atbTQ1vgM5IXg85tcAFndz4NRwlP6sL42SfpTd&_jAPiL=UfgdTxvpJHM
request	POST http://www.m-midas.com/ushb/
request	GET http://www.m-midas.com/ushb/?mHIx40=KETTpM1456fImzG2o/HCqgJBte/IHmJz01Qx96IPJzNgkPHHpmXueOKRfDyrAPg68mjcbOiZ&_jAPiL=UfgdTxvpJHM
request	POST http://www.multitraditional.com/ushb/
request	GET http://www.multitraditional.com/ushb/?mHIx40=Oc4WjS4DBu5AvhP85U59EprkqoXzMyfsJMpdZ9aVqZv/kvrlgbGtP2m1bh6Ukc03AoFAKmiH&_jAPiL=UfgdTxvpJHM
request	POST http://www.wxsocial.net/ushb/
request	GET http://www.wxsocial.net/ushb/?mHIx40=jD+SQ9M5OhBQJ5/3QGxgtYDN3MBJME7yhC8sQwvm8GBIEkJ4Y0691HdGHFaX56NR4IeIxVKV&_jAPiL=UfgdTxvpJHM
request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E322EE0C66235D8B40A9334F1FF263B9.html
request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F6E7D76D7517CFB3E9EF1C0C7D4E0D6D.html

Sends data using the HTTP POST Method (12 events)

request	POST http://www.dawnjarvisltd.com/ushb/
request	POST http://www.waaaghstore.com/ushb/
request	POST http://www.shopcavo.com/ushb/
request	POST http://www.jjayphoto.com/ushb/
request	POST http://www.poetasamigosypensadores.com/ushb/
request	POST http://www.deliciousnukes.com/ushb/
request	POST http://www.tigersonindonesia.com/ushb/
request	POST http://www.ossotasarim.com/ushb/
request	POST http://www.wounded-deer.com/ushb/
request	POST http://www.m-midas.com/ushb/
request	POST http://www.multitraditional.com/ushb/
request	POST http://www.wxsocial.net/ushb/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 171 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00322000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00355000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00357000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00346000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00347000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0034b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cc31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cc32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 1396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ashleybinx.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ashleybinx.exe" -Force
cmdline	"C:\Windows\System32\cmd.exe" /c timeout 1
cmdline	cmd.exe /c timeout 1

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 3, 2021, 9:39 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ashleybinx.exe" -Force filepath: powershell	1	1	0
ShellExecuteExW July 3, 2021, 9:39 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c timeout 1 filepath: cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 3, 2021, 9:39 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00007600', u'virtual_address': u'0x00002000', u'entropy': 7.322274271485646, u'name': u'.text', u'virtual_size': u'0x00007574'}

entropy

7.32227427149

description

A section with a high entropy has been found

entropy

0.936507936508

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 3, 2021, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 3, 2021, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2064 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000006d4	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 3, 2021, 9:39 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELUûQà pÐ@@À.textÀop `.rsrcÀ@@ base_address: 0x00400000 process_identifier: 2064 process_handle: 0x000006d4	1	1
WriteProcessMemory July 3, 2021, 9:39 a.m.	buffer: 0 HXhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsKSvY FmCq(CompanyNameJYi8FileDescriptionSOp Mod0FileVersion1.8.2.2: InternalNameOtTG IWc.exez+LegalCopyrightCopyright 2020 © KtD. All rights reserved.2LegalTrademarksOPOXB OriginalFilenameOtTG IWc.exe2 ProductNameOtTG IWc4ProductVersion6.4.6.38Assembly Version6.4.6.3DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00428000 process_identifier: 2064 process_handle: 0x000006d4	1	1
WriteProcessMemory July 3, 2021, 9:39 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2064 process_handle: 0x000006d4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 3, 2021, 9:39 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELUûQà pÐ@@À.textÀop `.rsrcÀ@@ base_address: 0x00400000 process_identifier: 2064 process_handle: 0x000006d4	1	1	0

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Elastic	malicious (high confidence)
Cylance	Unsafe
AegisLab	Trojan.Win32.Malicious.4!c
Cybereason	malicious.239b5d
Cyren	W32/MSIL_Agent.BZW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.IFL
APEX	Malicious
Avast	FileRepMalware
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:MSIL/Generic.99e54a8c
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_98%
BitDefenderTheta	Gen:NN.ZemsilF.34770.cm1@aC2!b8b
AVG	FileRepMalware

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 called NtSetContextThread to modify thread in remote process 2064
NtSetContextThread July 3, 2021, 9:39 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313104 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000006d8 process_identifier: 2064	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 resumed a thread in remote process 2064
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000006d8 suspend_count: 1 process_identifier: 2064	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Generates some ICMP traffic

Disables Windows Security features (1 event)

description

attempts to disable user access control

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Executed a process and injected code into it, probably while unpacking (31 events)

Time & API	Arguments	Status	Return
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x00000598 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread July 3, 2021, 9:39 a.m.	registers.eip: 1920740228 registers.esp: 4647936 registers.edi: 1100758 registers.eax: 31 registers.ebp: 4647980 registers.edx: 36495376 registers.ebx: 53253888 registers.esi: 36495200 registers.ecx: 49 thread_handle: 0x000000e0 process_identifier: 2444	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
NtGetContextThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2444	1	0
CreateProcessInternalW July 3, 2021, 9:39 a.m.	thread_identifier: 2876 thread_handle: 0x000006a8 process_identifier: 1396 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\ashleybinx.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006b0	1	1
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000006bc suspend_count: 1 process_identifier: 2444	1	0
CreateProcessInternalW July 3, 2021, 9:39 a.m.	thread_identifier: 1048 thread_handle: 0x000006d0 process_identifier: 1812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c timeout 1 filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006e4	1	1
CreateProcessInternalW July 3, 2021, 9:39 a.m.	thread_identifier: 2060 thread_handle: 0x000006d8 process_identifier: 2064 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\ashleybinx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\ashleybinx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000006d4	1	1
NtGetContextThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000006d8	1	0
NtAllocateVirtualMemory July 3, 2021, 9:39 a.m.	process_identifier: 2064 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000006d4	1	0
WriteProcessMemory July 3, 2021, 9:39 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELUûQà pÐ@@À.textÀop `.rsrcÀ@@ base_address: 0x00400000 process_identifier: 2064 process_handle: 0x000006d4	1	1
WriteProcessMemory July 3, 2021, 9:39 a.m.	buffer: base_address: 0x00401000 process_identifier: 2064 process_handle: 0x000006d4	1	1
WriteProcessMemory July 3, 2021, 9:39 a.m.	buffer: 0 HXhäh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsKSvY FmCq(CompanyNameJYi8FileDescriptionSOp Mod0FileVersion1.8.2.2: InternalNameOtTG IWc.exez+LegalCopyrightCopyright 2020 © KtD. All rights reserved.2LegalTrademarksOPOXB OriginalFilenameOtTG IWc.exe2 ProductNameOtTG IWc4ProductVersion6.4.6.38Assembly Version6.4.6.3DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x00428000 process_identifier: 2064 process_handle: 0x000006d4	1	1
WriteProcessMemory July 3, 2021, 9:39 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2064 process_handle: 0x000006d4	1	1
NtSetContextThread July 3, 2021, 9:39 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313104 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000006d8 process_identifier: 2064	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000006d8 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1396	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 1396	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 1396	1	0
NtResumeThread July 3, 2021, 9:39 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 1396	1	0
CreateProcessInternalW July 3, 2021, 9:39 a.m.	thread_identifier: 1436 thread_handle: 0x00000084 process_identifier: 1760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 1 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

ashleybinx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All