Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 9, 2021, 9:50 a.m.	July 9, 2021, 10:13 a.m.

Size	650.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2d5b3a4197f716b1600e32a3cbfa7b1e`
SHA256	`4418451ac62d0ded7768617f213598565700604cc9856cb6b2709f1e5304c2a1`
CRC32	`574EBC72`
ssdeep	`12288:aHPn4HHOqpc/XJeeOsHLVF0Td3W3Ylv8c+tp5QspJkVnfzd15xa7H6O:CPn6pc/ZLOsHnG38RtfP+f3gf`
Yara	Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) PDF_Format_Z - PDF Format PE_Header_Zero - PE File Signature Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

ConsoleApp131.exe "C:\Users\test22\AppData\Local\Temp\ConsoleApp131.exe"
2388
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\_Ycmyikcyssbufotiofnemnl.vbs"
  3000
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\notapad.exe'
    2516
- ConsoleApp131.exe C:\Users\test22\AppData\Local\Temp\ConsoleApp131.exe
  2084

Name	Response	Post-Analysis Lookup
freightmgmt.duckdns.org	A 194.5.98.207	194.5.98.207

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.5.98.207	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 9, 2021, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 9, 2021, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 9, 2021, 9:51 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 9, 2021, 9:50 a.m.			0	0
IsDebuggerPresent July 9, 2021, 9:50 a.m.			0	0
IsDebuggerPresent July 9, 2021, 9:51 a.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: The term 'Set-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: + Set-MpPreference <<<< -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\no console_handle: 0x00000053	1	1
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: tapad.exe' console_handle: 0x0000005f	1	1
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Set-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW July 9, 2021, 9:51 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (49 events)

Time & API	Arguments	Status	Return
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b0268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b00a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b00a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0b30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f08f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0eb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 9, 2021, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006f0df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 9, 2021, 9:50 a.m.		1	1	0

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ July 9, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x75b5b37e 0x65a5515 0x65a548a 0x65a2f20 0x65a2573 0x68d45b6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x74101838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x74101737 mscorlib+0x2d36ad @ 0x727d36ad mscorlib+0x308f2d @ 0x72808f2d mscorlib+0x3135ed @ 0x728135ed 0x1fb1e33 0x1fb1d06 0x1fb1c9d 0x1fb1210 system+0x1f9799 @ 0x71159799 system+0x1f92c8 @ 0x711592c8 system+0x1eca74 @ 0x7114ca74 system+0x1ec868 @ 0x7114c868 system+0x1f82b8 @ 0x711582b8 system+0x1ee54d @ 0x7114e54d system+0x1f70ea @ 0x711570ea system+0x1e56c0 @ 0x711456c0 system+0x1f8215 @ 0x71158215 system+0x1f6f75 @ 0x71156f75 system+0x1ee251 @ 0x7114e251 system+0x1ee229 @ 0x7114e229 system+0x1ee170 @ 0x7114e170 0x62a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75dc6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75dc6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7777011a system+0x1ebc85 @ 0x7114bc85 system+0x1f683b @ 0x7115683b system+0x1a5e44 @ 0x71105e44 system+0x1fd8a0 @ 0x7115d8a0 system+0x1fd792 @ 0x7115d792 system+0x1a14bd @ 0x711014bd 0x1fb0f81 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x75b5b479 registers.esp: 4448524 registers.edi: 1978982344 registers.eax: 1835008 registers.ebp: 4448728 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ July 9, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x75b5b37e 0x65a5515 0x65a548a 0x65a2f20 0x65a2573 0x68d45b6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x74101838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x74101737 mscorlib+0x2d36ad @ 0x727d36ad mscorlib+0x308f2d @ 0x72808f2d mscorlib+0x3135ed @ 0x728135ed 0x1fb1e33 0x1fb1d06 0x1fb1c9d 0x1fb1210 system+0x1f9799 @ 0x71159799 system+0x1f92c8 @ 0x711592c8 system+0x1eca74 @ 0x7114ca74 system+0x1ec868 @ 0x7114c868 system+0x1f82b8 @ 0x711582b8 system+0x1ee54d @ 0x7114e54d system+0x1f70ea @ 0x711570ea system+0x1e56c0 @ 0x711456c0 system+0x1f8215 @ 0x71158215 system+0x1f6f75 @ 0x71156f75 system+0x1ee251 @ 0x7114e251 system+0x1ee229 @ 0x7114e229 system+0x1ee170 @ 0x7114e170 0x62a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75dc6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75dc6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7777011a system+0x1ebc85 @ 0x7114bc85 system+0x1f683b @ 0x7115683b system+0x1a5e44 @ 0x71105e44 system+0x1fd8a0 @ 0x7115d8a0 system+0x1fd792 @ 0x7115d792 system+0x1a14bd @ 0x711014bd 0x1fb0f81 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x75b5b479 registers.esp: 4448524 registers.edi: 1978982344 registers.eax: 10616832 registers.ebp: 4448728 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ July 9, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x75b5b37e 0x65a5515 0x65a548a 0x65a2f20 0x65a2573 0x68d45b6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x74101838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x74101737 mscorlib+0x2d36ad @ 0x727d36ad mscorlib+0x308f2d @ 0x72808f2d mscorlib+0x3135ed @ 0x728135ed 0x1fb1e33 0x1fb1d06 0x1fb1c9d 0x1fb1210 system+0x1f9799 @ 0x71159799 system+0x1f92c8 @ 0x711592c8 system+0x1eca74 @ 0x7114ca74 system+0x1ec868 @ 0x7114c868 system+0x1f82b8 @ 0x711582b8 system+0x1ee54d @ 0x7114e54d system+0x1f70ea @ 0x711570ea system+0x1e56c0 @ 0x711456c0 system+0x1f8215 @ 0x71158215 system+0x1f6f75 @ 0x71156f75 system+0x1ee251 @ 0x7114e251 system+0x1ee229 @ 0x7114e229 system+0x1ee170 @ 0x7114e170 0x62a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75dc6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75dc6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7777011a system+0x1ebc85 @ 0x7114bc85 system+0x1f683b @ 0x7115683b system+0x1a5e44 @ 0x71105e44 system+0x1fd8a0 @ 0x7115d8a0 system+0x1fd792 @ 0x7115d792 system+0x1a14bd @ 0x711014bd 0x1fb0f81 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x75b5b479 registers.esp: 4448524 registers.edi: 1978982344 registers.eax: 1835008 registers.ebp: 4448728 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ July 9, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x75b5b37e 0x65a5515 0x65a548a 0x65a2f20 0x65a2573 0x68d45b6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x74101838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x74101737 mscorlib+0x2d36ad @ 0x727d36ad mscorlib+0x308f2d @ 0x72808f2d mscorlib+0x3135ed @ 0x728135ed 0x1fb1e33 0x1fb1d06 0x1fb1c9d 0x1fb1210 system+0x1f9799 @ 0x71159799 system+0x1f92c8 @ 0x711592c8 system+0x1eca74 @ 0x7114ca74 system+0x1ec868 @ 0x7114c868 system+0x1f82b8 @ 0x711582b8 system+0x1ee54d @ 0x7114e54d system+0x1f70ea @ 0x711570ea system+0x1e56c0 @ 0x711456c0 system+0x1f8215 @ 0x71158215 system+0x1f6f75 @ 0x71156f75 system+0x1ee251 @ 0x7114e251 system+0x1ee229 @ 0x7114e229 system+0x1ee170 @ 0x7114e170 0x62a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75dc6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75dc6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7777011a system+0x1ebc85 @ 0x7114bc85 system+0x1f683b @ 0x7115683b system+0x1a5e44 @ 0x71105e44 system+0x1fd8a0 @ 0x7115d8a0 system+0x1fd792 @ 0x7115d792 system+0x1a14bd @ 0x711014bd 0x1fb0f81 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x75b5b479 registers.esp: 4448524 registers.edi: 1978982344 registers.eax: 10616832 registers.ebp: 4448728 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ July 9, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x75b5b37e 0x65a5515 0x65a548a 0x65a2f20 0x65a2573 0x68d45b6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x74101838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x74101737 mscorlib+0x2d36ad @ 0x727d36ad mscorlib+0x308f2d @ 0x72808f2d mscorlib+0x3135ed @ 0x728135ed 0x1fb1e33 0x1fb1d06 0x1fb1c9d 0x1fb1210 system+0x1f9799 @ 0x71159799 system+0x1f92c8 @ 0x711592c8 system+0x1eca74 @ 0x7114ca74 system+0x1ec868 @ 0x7114c868 system+0x1f82b8 @ 0x711582b8 system+0x1ee54d @ 0x7114e54d system+0x1f70ea @ 0x711570ea system+0x1e56c0 @ 0x711456c0 system+0x1f8215 @ 0x71158215 system+0x1f6f75 @ 0x71156f75 system+0x1ee251 @ 0x7114e251 system+0x1ee229 @ 0x7114e229 system+0x1ee170 @ 0x7114e170 0x62a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75dc6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75dc6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7777011a system+0x1ebc85 @ 0x7114bc85 system+0x1f683b @ 0x7115683b system+0x1a5e44 @ 0x71105e44 system+0x1fd8a0 @ 0x7115d8a0 system+0x1fd792 @ 0x7115d792 system+0x1a14bd @ 0x711014bd 0x1fb0f81 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x75b5b479 registers.esp: 4448524 registers.edi: 1978982344 registers.eax: 1835008 registers.ebp: 4448728 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1
__exception__ July 9, 2021, 9:51 a.m.	stacktrace: K32EnumProcessModules+0x18 RegisterApplicationRestart-0x1be kernel32+0x3b37e @ 0x75b5b37e 0x65a5515 0x65a548a 0x65a2f20 0x65a2573 0x68d45b6 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x74101838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x74101737 mscorlib+0x2d36ad @ 0x727d36ad mscorlib+0x308f2d @ 0x72808f2d mscorlib+0x3135ed @ 0x728135ed 0x1fb1e33 0x1fb1d06 0x1fb1c9d 0x1fb1210 system+0x1f9799 @ 0x71159799 system+0x1f92c8 @ 0x711592c8 system+0x1eca74 @ 0x7114ca74 system+0x1ec868 @ 0x7114c868 system+0x1f82b8 @ 0x711582b8 system+0x1ee54d @ 0x7114e54d system+0x1f70ea @ 0x711570ea system+0x1e56c0 @ 0x711456c0 system+0x1f8215 @ 0x71158215 system+0x1f6f75 @ 0x71156f75 system+0x1ee251 @ 0x7114e251 system+0x1ee229 @ 0x7114e229 system+0x1ee170 @ 0x7114e170 0x62a08e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x75dc62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75dc6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75dc6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75dc6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7777011a system+0x1ebc85 @ 0x7114bc85 system+0x1f683b @ 0x7115683b system+0x1a5e44 @ 0x71105e44 system+0x1fd8a0 @ 0x7115d8a0 system+0x1fd792 @ 0x7115d792 system+0x1a14bd @ 0x711014bd 0x1fb0f81 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x74082652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7409264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x74092e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x741474ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74147610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x741d1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x741d1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x741d1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x741d416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7472f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x749b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x749b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5 exception.instruction_r: 89 04 91 c7 45 fc fe ff ff ff ff 45 10 81 7d 10 exception.symbol: K32EnumProcessModules+0x113 RegisterApplicationRestart-0xc3 kernel32+0x3b479 exception.instruction: mov dword ptr [ecx + edx*4], eax exception.module: KERNEL32.dll exception.exception_code: 0xc0000005 exception.offset: 242809 exception.address: 0x75b5b479 registers.esp: 4448524 registers.edi: 1978982344 registers.eax: 10616832 registers.ebp: 4448728 registers.edx: 0 registers.ebx: 0 registers.esi: 1 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

freightmgmt.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 188 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74081000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74082000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:50 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0063b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0649f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fbd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 53248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06e2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06e2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06491000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

ConsoleApp131.exe tried to sleep 214 seconds, actually delayed analysis time by 214 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\_Ycmyikcyssbufotiofnemnl.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\notapad.exe'
cmdline	powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\notapad.exe'

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\_Ycmyikcyssbufotiofnemnl.vbs

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 9, 2021, 9:51 a.m.	show_type: 0 filepath_r: powershell parameters: Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\notapad.exe' filepath: powershell	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00099e00', u'virtual_address': u'0x00002000', u'entropy': 7.987198069468435, u'name': u'.text', u'virtual_size': u'0x00099c14'}

entropy

7.98719806947

description

A section with a high entropy has been found

entropy

0.947652040031

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 9, 2021, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 9, 2021, 9:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://products.office.com/en-us/word)

Yara rule detected in process memory (19 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess July 9, 2021, 9:51 a.m.	status_code: 0xffffffff process_identifier: 3040 process_handle: 0x0000038c
NtTerminateProcess July 9, 2021, 9:51 a.m.	status_code: 0xffffffff process_identifier: 3040 process_handle: 0x0000038c	1
NtTerminateProcess July 9, 2021, 9:51 a.m.	status_code: 0xffffffff process_identifier: 2072 process_handle: 0x000002a4
NtTerminateProcess July 9, 2021, 9:51 a.m.	status_code: 0xffffffff process_identifier: 2072 process_handle: 0x000002a4	1

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 3040 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000035c		3221225496
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2072 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000374		3221225496
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2084 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000424	1	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

reg_value

explorer.exe,"C:\Users\test22\AppData\Roaming\notapad.exe",

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2388 manipulating memory of non-child process 3040
Process injection	Process 2388 manipulating memory of non-child process 2072
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 3040 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000035c	3221225496	0
NtAllocateVirtualMemory July 9, 2021, 9:51 a.m.	process_identifier: 2072 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000374	3221225496	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 9, 2021, 9:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $IýÓÁ(Á(Á(u´bÓ(u´`a(u´aß(Ã(À(_TÃ(úvÛ(úvû(úvã(ÈPÒ(Á(Ý)Vv(SvlÀ(VvÀ(RichÁ(PELvDË`à uð0@ØÜøJP,8ðk8l(l@0l.textÌ `.rdata"o0p@@.dataD= @À.tls à@À.gfids0ð@@.rsrcøJL@@.reloc,8P:æ@B base_address: 0x00400000 process_identifier: 2084 process_handle: 0x00000424	1	1
WriteProcessMemory July 9, 2021, 9:51 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¤tE¨wE¢tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¨wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F(zE¨{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3$6E.?AVtype_info@@$6E.?AVbad_alloc@std@@$6E.?AVbad_array_new_length@std@@$6E.?AVlogic_error@std@@$6E.?AVlength_error@std@@$6E.?AVout_of_range@std@@$6E.?AV_Facet_base@std@@$6E.?AV_Locimp@locale@std@@$6E.?AVfacet@locale@std@@$6E.?AU_Crt_new_delete@std@@$6E.?AVcodecvt_base@std@@$6E.?AUctype_base@std@@$6E.?AV?$ctype@D@std@@$6E.?AV?$codecvt@DDU_Mbstatet@@@std@@$6E.?AVbad_exception@std@@$6E.H$6E.?AVfailure@ios_base@std@@$6E.?AVruntime_error@std@@$6E.?AVsystem_error@std@@$6E.?AVbad_cast@std@@$6E.?AV_System_error@std@@$6E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2084 process_handle: 0x00000424	1	1
WriteProcessMemory July 9, 2021, 9:51 a.m.	buffer: base_address: 0x0046e000 process_identifier: 2084 process_handle: 0x00000424	1	1
WriteProcessMemory July 9, 2021, 9:51 a.m.	buffer: ZÀ?Àd?´ÄÎÄd?Åd?^d?:a!2!§ { Åi}iÝ-Ýd?d?ÌÖÄ¢Ä~Ux0t<â,á,á]Íb¥cU'Ë¼¦óC×î®*Æ,ú b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2084 process_handle: 0x00000424	1	1
WriteProcessMemory July 9, 2021, 9:51 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x00000424	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 9, 2021, 9:51 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $IýÓÁ(Á(Á(u´bÓ(u´`a(u´aß(Ã(À(_TÃ(úvÛ(úvû(úvã(ÈPÒ(Á(Ý)Vv(SvlÀ(VvÀ(RichÁ(PELvDË`à uð0@ØÜøJP,8ðk8l(l@0l.textÌ `.rdata"o0p@@.dataD= @À.tls à@À.gfids0ð@@.rsrcøJL@@.reloc,8P:æ@B base_address: 0x00400000 process_identifier: 2084 process_handle: 0x00000424	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA July 9, 2021, 9:51 a.m.	thread_identifier: 0 callback_function: 0x0040887d hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	197051	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 called NtSetContextThread to modify thread in remote process 2084
NtSetContextThread July 9, 2021, 9:51 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4386933 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002a4 process_identifier: 2084	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\notapad.exe'
parent_process	wscript.exe				martian_process	powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\test22\AppData\Roaming\notapad.exe'

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 resumed a thread in remote process 2084
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2084	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.2d5b3a4197f716b1
McAfee	Artemis!2D5B3A4197F7
Alibaba	Trojan:Win32/TrojanX.2d318523
Cybereason	malicious.cf20e2
ESET-NOD32	a variant of MSIL/GenKryptik.FHIZ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:TrojanX-gen [Trj]
McAfee-GW-Edition	Artemis!Trojan
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
Malwarebytes	Trojan.MalPack
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ABUB!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (W)

Executed a process and injected code into it, probably while unpacking (50 out of 85 events)

Time & API	Arguments	Status
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000328 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000370 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x00000388 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:50 a.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000003d0 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000003e4 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000428 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x0000043c suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000450 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2388	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2388	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x0000042c suspend_count: 1 process_identifier: 2388	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 2388	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000444	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000444	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2388	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000444	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000444	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2388	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0	1
NtGetContextThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0	1
NtResumeThread July 9, 2021, 9:51 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2388	1

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (21 events)

dead_host	192.168.56.102:49187
dead_host	192.168.56.102:49173
dead_host	192.168.56.102:49184
dead_host	192.168.56.102:49178
dead_host	192.168.56.102:49185
dead_host	192.168.56.102:49179
dead_host	194.5.98.207:691
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49170
dead_host	192.168.56.102:49177
dead_host	192.168.56.102:49188
dead_host	192.168.56.102:49171
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49168
dead_host	192.168.56.102:49183
dead_host	192.168.56.102:49169
dead_host	192.168.56.102:49180
dead_host	192.168.56.102:49174
dead_host	192.168.56.102:49181
dead_host	192.168.56.102:49175
dead_host	192.168.56.102:49186

ConsoleApp131.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All