Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 20, 2021, 8:02 a.m.	July 20, 2021, 8:08 a.m.

Size	692.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2308cedb77f66e4a821d57e8ee1e08a5`
SHA256	`8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b`
CRC32	`FC226A34`
ssdeep	`12288:wX2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/QXiU:2ss2Sm39NNv9wY7tHwbzfIoK6MosiU`
Yara	PE_Header_Zero - PE File Signature Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware IsPE32 - (no description) UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer Win_Backdoor_njRAT_Zero - Win Backdoor njRAT

jjroblox.exe "C:\Users\test22\AppData\Local\Temp\jjroblox.exe"
2972
- cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h
  872
  - attrib.exe attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h
    1460
- cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
  1772
  - attrib.exe attrib "C:\Users\test22\AppData\Local\Temp" +s +h
    556
- notepad.exe notepad
  1472
- msdcsc.exe "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
  2576
  - notepad.exe notepad
    2548

Name	Response	Post-Analysis Lookup
secret92.ddns.net	A 78.62.182.29	78.62.182.29

IP Address	Status	Action
164.124.101.2	Active	Moloch
78.62.182.29	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:65329 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:54056 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:50851 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:60751 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:55450 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:56977 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:57460 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:56887 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.101:62902 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 20, 2021, 8:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0
WriteConsoleW July 20, 2021, 8:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 20, 2021, 8:02 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

DBIND

Connects to a Dynamic DNS Domain (1 event)

domain

secret92.ddns.net

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ca2000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

msdcsc.exe tried to sleep 228 seconds, actually delayed analysis time by 228 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\NJ.EXE

Creates a suspicious process (4 events)

cmdline	cmd.exe /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
cmdline	cmd.exe /k attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h
cmdline	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h
cmdline	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\NJ.EXE

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\jjroblox.exe
file	C:\Users\test22\AppData\Local\Temp\NJ.EXE

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 20, 2021, 8:02 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h filepath: cmd.exe	1	1
ShellExecuteExW July 20, 2021, 8:02 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h filepath: cmd.exe	1	1
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 1188 thread_handle: 0x00000314 process_identifier: 1472 current_directory: filepath: track: 1 command_line: notepad filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000318	1	1
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 2768 thread_handle: 0x00000254 process_identifier: 2548 current_directory: filepath: track: 1 command_line: notepad filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000258	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (20 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW July 20, 2021, 8:02 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Terminates another process (1 event)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 20, 2021, 8:02 a.m.	status_code: 0x00000000 process_identifier: 1472 process_handle: 0x00000164		0	0

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	cmd.exe /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h
cmdline	cmd.exe /k attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h
cmdline	"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
cmdline	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h
cmdline	attrib "C:\Users\test22\AppData\Local\Temp" +s +h
cmdline	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
cmdline	attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h
cmdline	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h

Allocates execute permission to another process indicative of possible code injection (33 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00180000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00200000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1

Installs itself for autorun at Windows startup (14 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit	reg_value	C:\Windows\system32\userinit.exe,C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate	reg_value	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Creates known Fynloski/DarkComet files, registry keys and/or mutexes (5 events)

mutex	DC_MUTEX-A6ET8RQ
mutex	DCPERSFWBP
regkey	HKEY_CURRENT_USER\Software\DC3_FEXEC
regkey	HKEY_CURRENT_USER\Software\DC2_USERS
file	C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\oqyLUmi211Cb\msdcsc.exe

Potential code injection by writing to the memory of another process (33 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: kernel32.dll base_address: 0x00010000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: user32.dll base_address: 0x00020000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: Sleep base_address: 0x000b0000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: MessageBoxA base_address: 0x000c0000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: ExitThread base_address: 0x000d0000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: DeleteFileA base_address: 0x00120000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: GetLastError base_address: 0x00130000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: TerminateProcess base_address: 0x00140000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: CloseHandle base_address: 0x00150000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: OpenProcess base_address: 0x00160000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: GetExitCodeProcess base_address: 0x00170000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\jjroblox.exe base_address: 0x001c0000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: ×Isu"suF@Õ?wDTsuÀsuØtususuMtu À base_address: 0x00030000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: UìSVW]C4PC,PÿPÿSCC8PC0PÿPÿSCC<PC,PÿPÿSCC@PC,PÿPÿSCCDPC,PÿPÿSCCHPC,PÿPÿSCCTPC,PÿPÿSC CLPC,PÿPÿSC$CPPC,PÿPÿSC(ëÿSøthôÿSC\PÿSÀtåCXPjjÿS$ðötWVÿS(WVÿSVÿS jÿS_^[]ÂÀUìÄ@ÿÿÿSV3ÉMôUøEüEüè ùÿEøè ùÿu3ÀUhfRGdÿ0d Pÿÿÿ3ÉºDèëøÿÇPÿÿÿDÇ\|ÿÿÿfÇE@ÿÿÿPPÿÿÿPjjhjjjEüè´ ùÿPjèp)ùÿ@ÿÿÿEüè.RùÿÀu Eüº\|RGèyùÿEøèRùÿÀu Uø3ÀèÏ¡ùÿEôUøèXùÿºRGÃèüüÿÿF,ºRGÃèíüÿÿF0º RGÃèÞüÿÿF4º¨RGÃèÏüÿÿF8º´RGÃèÀüÿÿF<ºÀRGÃè±üÿÿF@ºÌRGÃè¢üÿÿFDºÜRGÃèüÿÿFHºðRGÃèüÿÿFTºüRGÃèuüÿÿFLºSGÃèfüÿÿFPEôè¿ùÿÐÃèRüÿÿF\HÿÿÿFXhSGh,SGèÇ)ùÿPèÉ)ùÿh8SGh,SGè°)ùÿPè²)ùÿFh RGh,SGè)ùÿPè)ùÿFh¨RGh,SGè)ùÿPè)ùÿFh´RGh,SGèh)ùÿPèj)ùÿFhÀRGh,SGèP)ùÿPèR)ùÿFhÌRGh,SGè8)ùÿPè:)ùÿFhÜRGh,SGè )ùÿPè")ùÿFhðRGh,SGè)ùÿPè )ùÿF hüRGh,SGèð(ùÿPèò(ùÿF$hSGh,SGèØ(ùÿPèÚ(ùÿF(j`jÎº´NGÃèõûÿÿ3ÀZYYdhmRGEôºèïùÿÃ base_address: 0x001d0000 process_identifier: 1472 process_handle: 0x00000318	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: kernel32.dll base_address: 0x000f0000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: user32.dll base_address: 0x00100000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: Sleep base_address: 0x00110000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: MessageBoxA base_address: 0x00120000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: CreateProcessA base_address: 0x00130000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: GetLastError base_address: 0x00140000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: SetLastError base_address: 0x00150000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: CreateMutexA base_address: 0x00160000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: CloseHandle base_address: 0x00170000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: ExitThread base_address: 0x00180000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: OpenProcess base_address: 0x001d0000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: DCPERSFWBP base_address: 0x00010000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: TerminateProcess base_address: 0x00020000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: GetExitCodeProcess base_address: 0x001e0000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: DC_MUTEX-A6ET8RQ base_address: 0x001f0000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: WaitForSingleObject base_address: 0x00200000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe base_address: 0x00290000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: ×Isu"suý`uÿsuÀsursu6su©suÕ?wsuØtusuMtukLsu )ô base_address: 0x002a0000 process_identifier: 2548 process_handle: 0x00000258	1	1
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: UìÄ¬SVW]C@PC8PÿPÿSCCDPC<PÿPÿSCCTPC8PÿPÿSCCXPC8PÿPÿSCCHPC8PÿPÿSCCLPC8PÿPÿSCCPPC8PÿPÿSC4C`PC8PÿPÿSC,ClPC8PÿPÿSC(ChPC8PÿPÿSC0CdPC8PÿPÿSC CpPC8PÿPÿSC$jÿSCxPjjÿS4ÿS=·u$C\|PjjÿS$øÿtVWÿS0VWÿS(WÿS,jÿS jÿSC\PjjÿS4øÿS=·tRWÿS,ÇE¼DE¬PE¼PjjjjjjCtPjÿSÀt3öhÈE¬PÿSèsÎÿötèë¼hÐÿSë²WÿS,hôÿSë_^[å]ÂUìÄ ÿÿÿSVWMôUøEüEüèËùÿEøèÃùÿEôè»ùÿµtÿÿÿ3ÀUhIXGdÿ0d 0ÿÿÿ3ÉºDè½åøÿÇ0ÿÿÿDÇ\ÿÿÿfÇ`ÿÿÿEüèMùÿÀu Eüº`XGè[ùÿEøè÷LùÿÀu Uø3Àè±ùÿ¿hXG ÿÿÿP0ÿÿÿPjjhjjjEüè/ùÿPjèë#ùÿ ÿÿÿºtXGÃè±÷ÿÿF8ºXGÃè¢÷ÿÿF<ºXGÃè÷ÿÿF@ºXGÃè÷ÿÿFDº¤XGÃèu÷ÿÿFTº´XGÃèf÷ÿÿFHºÄXGÃèW÷ÿÿFLºÔXGÃèH÷ÿÿFPºäXGÃè9÷ÿÿF`ºðXGÃè÷ÿÿFdºüXGÃè÷ÿÿFp×Ãè÷ÿÿFxºYGÃè÷ÿÿFlºYGÃèñöÿÿFhEôèJùÿÐÃèÝöÿÿF\º0YGÃèÎöÿÿFXEøè'ùÿÐÃèºöÿÿFt(ÿÿÿF\|hDYGhTYGè/$ùÿPè1$ùÿh`YGhTYGè$ùÿPè$ùÿFhXGhTYGè$ùÿPè$ùÿFhXGhpYGèè#ùÿPèê#ùÿFhäXGhTYGèÐ#ùÿPèÒ#ùÿF,h¤XGhTYGè¸#ùÿPèº#ùÿFh´XGhTYGè #ùÿPè¢#ùÿFhÄXGhTYGè#ùÿPè#ùÿFhÔXGhTYGèp#ùÿPèr#ùÿF4hYGhTYGèX#ùÿPèZ#ùÿF0hðXGhTYGè@#ùÿPèB#ùÿF hYGhTYGè(#ùÿPè#ùÿF(h0YGhTYGè#ùÿPè#ùÿFhüXGhTYGèø"ùÿPèú"ùÿF$hjÎºHSGÃèöÿÿ3ÀZYYdhPXGEôºèýøÿÃ base_address: 0x002b0000 process_identifier: 2548 process_handle: 0x00000258	1	1

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA July 20, 2021, 8:02 a.m.	thread_identifier: 0 callback_function: 0x00481bc0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	3474005	0

Modifies security center warnings (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify

Stops Windows services (1 event)

service

wscsvc (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start)

Disables Windows Security features (2 events)

description	attempts to disable antivirus notifications				registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description	attempts to disable windows update notifications				registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify

Executed a process and injected code into it, probably while unpacking (50 out of 79 events)

Time & API	Arguments	Status	Return
NtResumeThread July 20, 2021, 8:02 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2972	1	0
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 1684 thread_handle: 0x000002d0 process_identifier: 872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d8	1	1
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 1824 thread_handle: 0x000002d0 process_identifier: 1772 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\test22\AppData\Local\Temp" +s +h filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c4	1	1
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 1332 thread_handle: 0x0000031c process_identifier: 2256 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\NJ.EXE track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\NJ.EXE" filepath_r: C:\Users\test22\AppData\Local\Temp\NJ.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000328	1	1
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 1188 thread_handle: 0x00000314 process_identifier: 1472 current_directory: filepath: track: 1 command_line: notepad filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00010000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: kernel32.dll base_address: 0x00010000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: user32.dll base_address: 0x00020000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: Sleep base_address: 0x000b0000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: MessageBoxA base_address: 0x000c0000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: ExitThread base_address: 0x000d0000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: DeleteFileA base_address: 0x00120000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: GetLastError base_address: 0x00130000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: TerminateProcess base_address: 0x00140000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: CloseHandle base_address: 0x00150000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00160000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: OpenProcess base_address: 0x00160000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: GetExitCodeProcess base_address: 0x00170000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\jjroblox.exe base_address: 0x001c0000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: ×Isu"suF@Õ?wDTsuÀsuØtususuMtu À base_address: 0x00030000 process_identifier: 1472 process_handle: 0x00000318	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 1472 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000318	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: UìSVW]C4PC,PÿPÿSCC8PC0PÿPÿSCC<PC,PÿPÿSCC@PC,PÿPÿSCCDPC,PÿPÿSCCHPC,PÿPÿSCCTPC,PÿPÿSC CLPC,PÿPÿSC$CPPC,PÿPÿSC(ëÿSøthôÿSC\PÿSÀtåCXPjjÿS$ðötWVÿS(WVÿSVÿS jÿS_^[]ÂÀUìÄ@ÿÿÿSV3ÉMôUøEüEüè ùÿEøè ùÿu3ÀUhfRGdÿ0d Pÿÿÿ3ÉºDèëøÿÇPÿÿÿDÇ\|ÿÿÿfÇE@ÿÿÿPPÿÿÿPjjhjjjEüè´ ùÿPjèp)ùÿ@ÿÿÿEüè.RùÿÀu Eüº\|RGèyùÿEøèRùÿÀu Uø3ÀèÏ¡ùÿEôUøèXùÿºRGÃèüüÿÿF,ºRGÃèíüÿÿF0º RGÃèÞüÿÿF4º¨RGÃèÏüÿÿF8º´RGÃèÀüÿÿF<ºÀRGÃè±üÿÿF@ºÌRGÃè¢üÿÿFDºÜRGÃèüÿÿFHºðRGÃèüÿÿFTºüRGÃèuüÿÿFLºSGÃèfüÿÿFPEôè¿ùÿÐÃèRüÿÿF\HÿÿÿFXhSGh,SGèÇ)ùÿPèÉ)ùÿh8SGh,SGè°)ùÿPè²)ùÿFh RGh,SGè)ùÿPè)ùÿFh¨RGh,SGè)ùÿPè)ùÿFh´RGh,SGèh)ùÿPèj)ùÿFhÀRGh,SGèP)ùÿPèR)ùÿFhÌRGh,SGè8)ùÿPè:)ùÿFhÜRGh,SGè )ùÿPè")ùÿFhðRGh,SGè)ùÿPè )ùÿF hüRGh,SGèð(ùÿPèò(ùÿF$hSGh,SGèØ(ùÿPèÚ(ùÿF(j`jÎº´NGÃèõûÿÿ3ÀZYYdhmRGEôºèïùÿÃ base_address: 0x001d0000 process_identifier: 1472 process_handle: 0x00000318	1	1
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 2040 thread_handle: 0x00000480 process_identifier: 2576 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe track: 1 command_line: "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe" filepath_r: C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000048c	1	1
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 2888 thread_handle: 0x00000084 process_identifier: 1460 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\attrib.exe track: 1 command_line: attrib "C:\Users\test22\AppData\Local\Temp\jjroblox.exe" +s +h filepath_r: C:\Windows\system32\attrib.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 2856 thread_handle: 0x00000084 process_identifier: 556 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\attrib.exe track: 1 command_line: attrib "C:\Users\test22\AppData\Local\Temp" +s +h filepath_r: C:\Windows\system32\attrib.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread July 20, 2021, 8:02 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1472	1	0
NtResumeThread July 20, 2021, 8:02 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2576	1	0
CreateProcessInternalW July 20, 2021, 8:02 a.m.	thread_identifier: 2768 thread_handle: 0x00000254 process_identifier: 2548 current_directory: filepath: track: 1 command_line: notepad filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000258	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: kernel32.dll base_address: 0x000f0000 process_identifier: 2548 process_handle: 0x00000258	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: user32.dll base_address: 0x00100000 process_identifier: 2548 process_handle: 0x00000258	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: Sleep base_address: 0x00110000 process_identifier: 2548 process_handle: 0x00000258	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00120000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: MessageBoxA base_address: 0x00120000 process_identifier: 2548 process_handle: 0x00000258	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory July 20, 2021, 8:02 a.m.	buffer: CreateProcessA base_address: 0x00130000 process_identifier: 2548 process_handle: 0x00000258	1	1
NtAllocateVirtualMemory July 20, 2021, 8:02 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00140000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	78.62.182.29:8082
dead_host	78.62.182.29:82

jjroblox.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All